feat(refactor): ready for manual QA after main sync (#274)

* fix: preserve gateway token query in websocket URLs

* fix: classify secure-context device identity handshake errors

* fix: normalize trailing dot in host allowlist checks

* fix: support proxied gateway websocket paths and tailnet host normalization

* fix: auto-connect startup to primary configured gateway

* fix: keep gateway tokens server-side only

* fix: allow authenticated viewers to resolve gateway connect credentials

* fix: identify mission control as operator gateway client

* fix: redirect remote http sessions to https for gateway auth

* fix: support URL-style gateway hosts in health probes

* fix: resolve primary gateway credentials from detected openclaw runtime

* fix: hide duplicate gateway connection summary when managed

* refactor: remove super admin and workspaces panels from UI navigation

* fix: treat configured gateways as full-mode capability

* refactor: move promo banner copy into subtle footer note

* fix: stabilize gateway websocket connect protocol detection

* test: cover https forwarded proto for gateway websocket url

* fix: load canonical agent files and memory in detail panel

* fix: resolve agent files from openclaw workspace conventions

* fix: persist websocket client across route remounts

* feat: allow deleting agents with optional workspace removal

* feat: refresh mission control branding and favicon assets

* feat: complete github parity sync implementation

* chore: remove e2e temp artifacts from repo

* feat: add embedded /chat panel with shared chat workspace

* feat: unify sessions navigation into chat panel

* feat: show local Claude/Codex sessions in chat list

* feat: enable local session continuation and chat tagging

* fix: correct local codex session recency detection

* fix: refresh local session age and anchor chat composer

* refactor: make chat provider-session-first by mode

* fix: add local provider and MC health rows in overview

* feat: finalize tenant-scoped workspaces and full e2e coverage

* feat: improve session workbench controls and smoke coverage

* refactor: extract SaaS code to separate pro repo

- Add registerAuthResolver() hook to auth.ts
- Add registerMigrations() hook to migrations.ts
- Remove saas config block, SaaS modules, Pro API routes
- Keep adapters, super-admin routes, migration 032

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add framework adapters and self-update mechanism

- Framework adapter layer for multi-agent registration (autogen, crewai, langgraph, claude-sdk, openclaw, generic)
- Self-update API endpoint (admin-only git pull + install + build)
- Update banner UI component showing available versions with dismiss

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: update README stats, remove stale Super Admin refs, improve self-update

- Panel count 28→32, API routes 66→95, migrations 21→30
- Remove Super Admin from UI-facing docs (APIs remain)
- Document framework adapters and self-update mechanism
- Mark workspace isolation, adapters, projects as completed in roadmap
- Self-update now uses tag-based checkout instead of branch pull
- Plugin hook comments: "Pro" → "extensions"

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add skills hub with registry integration, bidirectional sync, and local agent discovery

- Bidirectional disk↔DB skill sync via scheduler (60s interval, SHA-256 change detection, disk-wins conflict resolution)
- ClawdHub + skills.sh registry proxy with search, install, and security scanning (9 rules: prompt injection, credential leaks, data exfiltration, obfuscated content)
- Local agent discovery from ~/.agents/, ~/.codex/agents/, ~/.claude/agents/ with bidirectional sync
- DB-backed skills API with filesystem fallback, admin-only install, rate limiting
- Skills panel: installed/registry tabs, security badges, friendly source labels, OpenClaw gateway support
- Agent panel: local sync button, source badges (local/gateway)
- Migrations 033 (skills table) and 034 (agents source/hash/workspace columns)
- Full test coverage: 24 unit tests, 34 E2E tests (286 total suite green)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add per-agent rate limiting and agent self-registration

- Per-agent rate limiter keyed on x-agent-name header (falls back to IP)
- Agent heartbeat: 30 req/min per agent, task polling: 20 req/min per agent
- Rate limit response headers (Retry-After, X-RateLimit-*) for agent backoff
- POST /api/agents/register: self-service registration with viewer-level auth
- Idempotent registration (re-registering updates last_seen, returns existing)
- Name validation, role whitelist, capabilities/framework in config
- Self-registration rate-limited to 5/min per IP
- 9 E2E tests for self-registration (295 total suite green)
- README: updated API route count (97), test counts, new endpoints

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: enhance agent cost panel, OAuth approval UI, and framework adapter gateway

- Agent Cost Panel: add task cost attribution drill-down, cost share
percentages, bar chart comparison, 5th summary card for task-attributed
costs, 30s auto-refresh, and tabbed expanded view (tasks/models)
- OAuth Approval UI: replace window.prompt() with inline role selector
and note input, add avatar display, show animated pending count badge,
add dedicated "awaiting approval" state on login page
- Framework Adapter Gateway: wire GenericAdapter.getAssignments() to
query task queue, add POST /api/adapters route for framework-agnostic
agent actions (register, heartbeat, report, assignments, disconnect)
- Clean up dead api-keys import and DB-backed key resolution from
auth.ts (moved to Pro repo)
- Resolve README merge conflicts, update route count to 98

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: complete free-tier functionality — adapters, workspace CRUD, agent sync, and UI polish

- Implement all 5 framework adapter stubs (claude-sdk, crewai, langgraph, autogen, openclaw)
with shared queryPendingAssignments() helper to eliminate SQL duplication
- Add recurring gateway_agent_sync scheduler task (was startup-only)
- Add workspace CRUD API: POST/PUT/DELETE /api/workspaces with tenant isolation
- Add local agent discovery for flat .md files (Claude Code agent format with YAML frontmatter)
- Add per-agent cost breakdown API (GET /api/tokens/by-agent)
- Add API key rotation endpoint (GET/POST /api/tokens/rotate)
- Add Google OAuth disconnect endpoint
- Polish login page with inline Google Sign-In button
- Enhance settings panel with Security tab (API key management, OAuth)
- Enhance agent cost panel with per-agent DB view
- Add Awesome OpenClaw as third skill registry source
- Add integration connectivity test fallback

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: include session-message component (required by chat-workspace)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: gateway dot color should reflect live connection state

When WebSocket is connected, show green dot regardless of stored
probe status. Prevents misleading red dot + green CONNECTED badge.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: agent creation progress modal and openclaw CLI flag

- Remove invalid --name flag from openclaw agents add CLI invocation
- Add multi-step progress UI to CreateAgentModal showing DB insert,
gateway write, and workspace provisioning steps with animated status
- Progress view replaces review content during creation with spinner,
checkmark, and error states per step
- Auto-close on success after 1.5s, retry/close buttons on error
- Squad panel: add status-based card edge colors and glow styles

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: task dispatch — scheduler polls assigned tasks and runs agents via openclaw CLI

Adds a task_dispatch scheduler job that picks up tasks in 'assigned' status,
executes them via `openclaw agent --local --json`, and moves them to 'review'
with the agent's response as resolution + comment.

* feat: link dispatched tasks to agent sessions — view session from task detail

- task-dispatch: extract sessionId from openclaw JSON response, store in task metadata
- task detail modal: "View Session" button navigates to /chat with the agent's session transcript
- shows pulsing "Live" indicator when task is in_progress
- agent squad panel: show quality_review and done counts in task stats

* feat: automated Aegis quality review — scheduler polls review tasks and approves/rejects

- aegis_review scheduler job picks up tasks in 'review' status every 60s
- runs openclaw agent to evaluate task resolution quality
- approved → done, rejected → in_progress with feedback as comment
- quality-review API: rejected reviews now push task back to in_progress
- approved reviews work for any reviewer (not just aegis)

* feat: natural language recurring tasks + Claude Code task bridge

Add NL schedule parser (zero deps) for creating recurring tasks via
"every morning at 9am" style input. Template-clone pattern spawns dated
child tasks on cron schedule with Aegis quality gates per instance.

Read-only bridge surfaces Claude Code team tasks and configs from
~/.claude/tasks/ and ~/.claude/teams/ on the MC dashboard.

New files: schedule-parser.ts, recurring-tasks.ts, claude-tasks.ts,
API routes for /claude-tasks and /schedule-parse.
Modified: scheduler.ts (recurring_task_spawn), migrations.ts (036),
task-board-panel.tsx (schedule UI + badges + CC section),
cron-management-panel.tsx (CC teams section).

* docs: update README with recurring tasks and Claude Code task bridge

Add sections for natural language recurring tasks, Claude Code task
bridge, new API endpoints, architecture tree entries, and roadmap items.

* fix: agent card redesign, gateway badge tooltip, and ws:// for localhost gateways

- Compact agent cards: remove 4 colored stat boxes, show inline task stats,
display model name from config, remove session info box, remove Busy button
- Gateway ConnectionBadge: rich hover tooltip with host, latency, WS/SSE status
- Fix gateway connect over T

.env.example

@@ -67,7 +67,8 @@ NEXT_PUBLIC_GATEWAY_HOST=
 NEXT_PUBLIC_GATEWAY_PORT=18789
 NEXT_PUBLIC_GATEWAY_PROTOCOL=
 NEXT_PUBLIC_GATEWAY_URL=
-# NEXT_PUBLIC_GATEWAY_TOKEN=  # Optional, set if gateway requires auth token
+# Do not expose gateway tokens via NEXT_PUBLIC_* variables.
+# Keep gateway auth secrets server-side only (OPENCLAW_GATEWAY_TOKEN / GATEWAY_TOKEN).
 # Gateway client id used in websocket handshake (role=operator UI client).
 NEXT_PUBLIC_GATEWAY_CLIENT_ID=openclaw-control-ui
 

.github/workflows/quality-gate.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version-file: '.nvmrc'
           cache: 'pnpm'
 
       - name: Install dependencies

.gitignore

@@ -35,6 +35,12 @@ aegis/
 # Playwright
 test-results/
 playwright-report/
+.tmp/
+.playwright-mcp/
+
+# Local QA screenshots
+/e2e-debug-*.png
+/e2e-channels-*.png
 
 # Claude Code context files
 CLAUDE.md

.node-version

@@ -0,0 +1 @@
+22

.nvmrc

@@ -0,0 +1 @@
+22

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-slim AS base
+FROM node:22.22.0-slim AS base
 RUN corepack enable && corepack prepare pnpm@latest --activate
 WORKDIR /app
 
@@ -20,7 +20,14 @@ COPY --from=deps /app/node_modules ./node_modules
 COPY . .
 RUN pnpm build
 
-FROM node:20-slim AS runtime
+FROM node:22.22.0-slim AS runtime
+
+ARG MC_VERSION=dev
+LABEL org.opencontainers.image.source="https://github.com/openclaw/mission-control"
+LABEL org.opencontainers.image.description="Mission Control - operations dashboard"
+LABEL org.opencontainers.image.licenses="MIT"
+LABEL org.opencontainers.image.version="${MC_VERSION}"
+
 WORKDIR /app
 ENV NODE_ENV=production
 RUN addgroup --system --gid 1001 nodejs && adduser --system --uid 1001 nextjs
@@ -30,11 +37,11 @@ COPY --from=build /app/.next/static ./.next/static
 COPY --from=build /app/src/lib/schema.sql ./src/lib/schema.sql
 # Create data directory with correct ownership for SQLite
 RUN mkdir -p .data && chown nextjs:nodejs .data
-RUN apt-get update && apt-get install -y curl --no-install-recommends && rm -rf /var/lib/apt/lists/*
+RUN echo 'const http=require("http");const r=http.get("http://localhost:"+(process.env.PORT||3000)+"/api/status?action=health",s=>{process.exit(s.statusCode===200?0:1)});r.on("error",()=>process.exit(1));r.setTimeout(4000,()=>{r.destroy();process.exit(1)})' > /app/healthcheck.js
 USER nextjs
 ENV PORT=3000
 EXPOSE 3000
 ENV HOSTNAME=0.0.0.0
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-  CMD curl -f http://localhost:${PORT:-3000}/login || exit 1
+  CMD ["node", "/app/healthcheck.js"]
 CMD ["node", "server.js"]

README.md

@@ -24,20 +24,47 @@ Manage agent fleets, track tasks, monitor costs, and orchestrate workflows — a
 
 Running AI agents at scale means juggling sessions, tasks, costs, and reliability across multiple models and channels. Mission Control gives you:
 
-- **28 panels** — Tasks, agents, logs, tokens, memory, cron, alerts, webhooks, pipelines, and more
+- **32 panels** — Tasks, agents, skills, logs, tokens, memory, security, cron, alerts, webhooks, pipelines, and more
 - **Real-time everything** — WebSocket + SSE push updates, smart polling that pauses when you're away
 - **Zero external dependencies** — SQLite database, single `pnpm start` to run, no Redis/Postgres/Docker required
 - **Role-based access** — Viewer, operator, and admin roles with session + API key auth
-- **Quality gates** — Built-in review system that blocks task completion without sign-off
+- **Quality gates** — Built-in Aegis review system that blocks task completion without sign-off
+- **Recurring tasks** — Natural language scheduling ("every morning at 9am") with cron-based template spawning
+- **Claude Code bridge** — Read-only integration surfaces Claude Code team tasks and configs on the dashboard
+- **Skills Hub** — Browse, install, and security-scan agent skills from ClawdHub and skills.sh registries
 - **Multi-gateway** — Connect to multiple agent gateways simultaneously (OpenClaw, and more coming soon)
 
 ## Quick Start
 
-> **Requires [pnpm](https://pnpm.io/installation)** — Mission Control uses pnpm for dependency management. Install it with `npm install -g pnpm` or `corepack enable`.
+### One-Command Install (Docker)
 
 ```bash
 git clone https://github.com/builderz-labs/mission-control.git
 cd mission-control
+bash install.sh --docker
+```
+
+The installer auto-generates secure credentials, starts the container, and runs an OpenClaw fleet health check. Open `http://localhost:3000` and log in with the printed credentials.
+
+### One-Command Install (Local)
+
+```bash
+git clone https://github.com/builderz-labs/mission-control.git
+cd mission-control
+bash install.sh --local
+```
+
+Requires Node.js 22.x (LTS) and pnpm (auto-installed via corepack if missing).
+
+### Manual Setup
+
+> **Requires [pnpm](https://pnpm.io/installation)** and **Node.js 22.x (LTS)**.
+> Mission Control is validated against Node 22 across local dev, CI, Docker, and standalone deploys. Use `nvm use 22` (or your version manager equivalent) before installing or starting the app.
+
+```bash
+git clone https://github.com/builderz-labs/mission-control.git
+cd mission-control
+nvm use 22
 pnpm install
 cp .env.example .env    # edit with your values
 pnpm dev                # http://localhost:3000
@@ -46,6 +73,25 @@ pnpm dev                # http://localhost:3000
 Initial login is seeded from `AUTH_USER` / `AUTH_PASS` on first run.
 If `AUTH_PASS` contains `#`, quote it (e.g. `AUTH_PASS="my#password"`) or use `AUTH_PASS_B64`.
 
+### Docker Hardening (Production)
+
+For production deployments, use the hardened compose overlay:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.hardened.yml up -d
+```
+
+This adds read-only filesystem, capability dropping, log rotation, HSTS, and network isolation. See [Security Hardening](docs/SECURITY-HARDENING.md) for the full checklist.
+
+### Station Doctor
+
+Run diagnostics on your installation:
+
+```bash
+bash scripts/station-doctor.sh
+bash scripts/security-audit.sh
+```
+
 ## Project Status
 
 ### What Works
@@ -65,7 +111,22 @@ If `AUTH_PASS` contains `#`, quote it (e.g. `AUTH_PASS="my#password"`) or use `A
 - Ed25519 device identity for secure gateway handshake
 - Agent SOUL system with workspace file sync and templates
 - Agent inter-agent messaging and comms
-- Update available banner with GitHub release check
+- Skills Hub with ClawdHub and skills.sh registry integration (search, install, security scan)
+- Bidirectional skill sync — disk ↔ DB with SHA-256 change detection
+- Local agent discovery from `~/.agents/`, `~/.codex/agents/`, `~/.claude/agents/`
+- Natural language recurring tasks — schedule parser converts "every 2 hours" to cron, spawns dated child tasks
+- Claude Code task bridge — read-only scanner surfaces team tasks and configs from `~/.claude/tasks/` and `~/.claude/teams/`
+- Skill security scanner (prompt injection, credential leaks, data exfiltration, obfuscated content)
+- Update available banner with GitHub release check and one-click self-update
+- Framework adapter layer for multi-agent registration (OpenClaw, CrewAI, LangGraph, AutoGen, Claude SDK, generic)
+- Multi-project task organization with per-project ticket prefixes
+- Per-agent rate limiting with `x-agent-name` identity-based quotas
+- Agent self-registration endpoint for autonomous agent onboarding
+- Security audit panel with posture scoring, secret detection, trust scoring, and MCP call auditing
+- Four-layer agent eval framework (output, trace, component, drift detection)
+- Agent optimization endpoint with token efficiency, tool patterns, and fleet benchmarks
+- Hook profiles (minimal/standard/strict) for tunable security strictness
+- Guided onboarding wizard with credential setup, agent discovery, and security scan
 
 ### Known Limitations
 
@@ -81,10 +142,10 @@ If `AUTH_PASS` contains `#`, quote it (e.g. `AUTH_PASS="my#password"`) or use `A
 ## Features
 
 ### Agent Management
-Monitor agent status, spawn new sessions, view heartbeats, and manage the full agent lifecycle from registration to retirement.
+Monitor agent status, configure models, view heartbeats, and manage the full agent lifecycle from registration to retirement. Agent detail modal with compact overview, inline model selector, and editable sub-agent configuration.
 
 ### Task Board
-Kanban board with six columns (inbox → backlog → todo → in-progress → review → done), drag-and-drop, priority levels, assignments, and threaded comments.
+Kanban board with six columns (inbox → assigned → in progress → review → quality review → done), drag-and-drop, priority levels, assignments, threaded comments, and inline sub-agent spawning.
 
 ### Real-time Monitoring
 Live activity feed, session inspector, and log viewer with filtering. WebSocket connection to OpenClaw gateway for instant event delivery.
@@ -93,7 +154,10 @@ Live activity feed, session inspector, and log viewer with filtering. WebSocket
 Token usage dashboard with per-model breakdowns, trend charts, and cost analysis powered by Recharts.
 
 ### Background Automation
-Scheduled tasks for database backups, stale record cleanup, and agent heartbeat monitoring. Configurable via UI or API.
+Scheduled tasks for database backups, stale record cleanup, agent heartbeat monitoring, and recurring task spawning. Configurable via UI or API.
+
+### Natural Language Recurring Tasks
+Create recurring tasks with natural language like "every morning at 9am" or "every 2 hours". The built-in schedule parser (zero dependencies) converts expressions to cron and stores them in task metadata. A template-clone pattern keeps the original task as a template and spawns dated child tasks (e.g., "Daily Report - Mar 07") on schedule. Each spawned task gets its own Aegis quality gate.
 
 ### Direct CLI Integration
 Connect Claude Code, Codex, or any CLI tool directly to Mission Control without requiring a gateway. Register connections, send heartbeats with inline token reporting, and auto-register agents.
@@ -101,28 +165,52 @@ Connect Claude Code, Codex, or any CLI tool directly to Mission Control without
 ### Claude Code Session Tracking
 Automatically discovers and tracks local Claude Code sessions by scanning `~/.claude/projects/`. Extracts token usage, model info, message counts, cost estimates, and active status from JSONL transcripts. Scans every 60 seconds via the background scheduler.
 
+### Claude Code Task Bridge
+Read-only integration that surfaces Claude Code team tasks and team configs on the Mission Control dashboard. Scans `~/.claude/tasks/<team>/<N>.json` for structured task data (subject, status, owner, blockers) and `~/.claude/teams/<name>/config.json` for team metadata (members, lead agent, model assignments). Visible in both the Task Board (collapsible section) and Cron Management (teams overview) panels.
+
 ### GitHub Issues Sync
 Inbound sync from GitHub repositories with label and assignee mapping. Synced issues appear on the task board alongside agent-created tasks.
 
+### Skills Hub
+Browse, install, and manage agent skills from local directories and external registries (ClawdHub, skills.sh). Bidirectional sync detects manual additions on disk and pushes UI edits back to `SKILL.md` files. Built-in security scanner checks for prompt injection, credential leaks, data exfiltration, obfuscated content, and dangerous shell commands before installation. Supports 5 skill roots: `~/.agents/skills`, `~/.codex/skills`, project-local `.agents/skills` and `.codex/skills`, and `~/.openclaw/skills` for gateway mode.
+
+### Local Agent Discovery
+Automatically discovers agent definitions from `~/.agents/`, `~/.codex/agents/`, and `~/.claude/agents/` directories. Detection looks for marker files (AGENT.md, soul.md, identity.md, config.json). Discovered agents sync bidirectionally — edit in the UI and changes write back to disk.
+
 ### Agent SOUL System
 Define agent personality, capabilities, and behavioral guidelines via SOUL markdown files. Edit in the UI or directly in workspace `soul.md` files — changes sync bidirectionally between disk and database.
 
 ### Agent Messaging
-Inter-agent communication via the comms API. Agents can send messages to each other, enabling coordinated multi-agent workflows.
+Session-threaded inter-agent communication via the comms API (`a2a:*`, `coord:*`, `session:*`) with coordinator inbox support and runtime tool-call visibility in the `agent-comms` feed.
+
+### Onboarding Wizard
+Guided first-run setup wizard that walks new users through five steps: Welcome (system capabilities detection), Credentials (verify AUTH_PASS and API_KEY strength), Agent Setup (gateway connection or local Claude Code discovery), Security Scan (automated configuration audit with pass/fail checks), and Get Started (quick links to key panels). Automatically appears on first login and can be re-launched from Settings. Progress is persisted per-user so you can resume where you left off.
+
+### Security Audit & Agent Trust
+Dedicated security audit panel with real-time posture scoring (0-100), secret detection across agent messages, MCP tool call auditing, injection attempt tracking, and per-agent trust scores. Hook profiles (minimal/standard/strict) let operators tune security strictness per deployment. Auth failures, rate limit hits, and injection attempts are logged automatically as security events.
+
+### Agent Eval Framework
+Four-layer evaluation stack for agent quality: output evals (task completion scoring against golden datasets), trace evals (convergence scoring — >3.0 indicates looping), component evals (tool reliability with p50/p95/p99 latency from MCP call logs), and drift detection (10% threshold vs 4-week rolling baseline). Manage golden datasets and trigger eval runs via API or UI.
+
+### Agent Optimization
+API endpoint agents can call for self-improvement recommendations. Analyzes token efficiency (tokens/task vs fleet average), tool usage patterns (success/failure rates, redundant calls), and generates prioritized recommendations. Fleet benchmarks provide percentile rankings across all agents.
 
 ### Integrations
 Outbound webhooks with delivery history, configurable alert rules with cooldowns, and multi-gateway connection management. Optional 1Password CLI integration for secret management.
 
 ### Workspace Management
-Workspaces (tenant instances) are created and managed through the **Super Admin** panel, accessible from the sidebar under **Admin > Super Admin**. From there, admins can:
+Workspaces (tenant instances) are managed via the `/api/super/*` API endpoints. Admins can:
 - **Create** new client instances (slug, display name, Linux user, gateway port, plan tier)
 - **Monitor** provisioning jobs and their step-by-step progress
 - **Decommission** tenants with optional cleanup of state directories and Linux users
 
-Each workspace gets its own isolated environment with a dedicated OpenClaw gateway, state directory, and workspace root. See the [Super Admin API](#api-overview) endpoints under `/api/super/*` for programmatic access.
+Each workspace gets its own isolated environment with a dedicated OpenClaw gateway, state directory, and workspace root.
 
 ### Update Checker
-Automatic GitHub release check notifies you when a new version is available, displayed as a banner in the dashboard.
+Automatic GitHub release check notifies you when a new version is available, displayed as a banner in the dashboard. Admins can trigger a one-click update directly from the banner — the server runs `git pull`, `pnpm install`, and `pnpm build`, then prompts for a restart. Dirty working trees are rejected, and all updates are logged to the audit trail.
+
+### Framework Adapters
+Built-in adapter layer for multi-agent registration across frameworks. Supported adapters: OpenClaw, CrewAI, LangGraph, AutoGen, Claude SDK, and a generic fallback. Each adapter normalizes agent registration, heartbeats, and task reporting to a common interface.
 
 ## Architecture
 
@@ -133,22 +221,35 @@ mission-control/
 │   ├── app/
 │   │   ├── page.tsx           # SPA shell — routes all panels
 │   │   ├── login/page.tsx     # Login page
-│   │   └── api/               # 66 REST API routes
+│   │   └── api/               # 101 REST API routes
 │   ├── components/
 │   │   ├── layout/            # NavRail, HeaderBar, LiveFeed
 │   │   ├── dashboard/         # Overview dashboard
-│   │   ├── panels/            # 28 feature panels
+│   │   ├── panels/            # 32 feature panels
 │   │   └── chat/              # Agent chat UI
 │   ├── lib/
 │   │   ├── auth.ts            # Session + API key auth, RBAC
 │   │   ├── db.ts              # SQLite (better-sqlite3, WAL mode)
 │   │   ├── claude-sessions.ts  # Local Claude Code session scanner
-│   │   ├── migrations.ts      # 21 schema migrations
+│   │   ├── claude-tasks.ts     # Claude Code team task/config scanner
+│   │   ├── schedule-parser.ts  # Natural language → cron expression parser
+│   │   ├── recurring-tasks.ts  # Recurring task template spawner
+│   │   ├── migrations.ts      # 39 schema migrations
 │   │   ├── scheduler.ts       # Background task scheduler
 │   │   ├── webhooks.ts        # Outbound webhook delivery
 │   │   ├── websocket.ts       # Gateway WebSocket client
 │   │   ├── device-identity.ts # Ed25519 device identity for gateway auth
-│   │   └── agent-sync.ts      # OpenClaw config → MC database sync
+│   │   ├── agent-sync.ts      # OpenClaw config → MC database sync
+│   │   ├── skill-sync.ts      # Bidirectional disk ↔ DB skill sync
+│   │   ├── skill-registry.ts  # ClawdHub + skills.sh registry client & security scanner
+│   │   ├── local-agent-sync.ts # Local agent discovery from ~/.agents, ~/.codex, ~/.claude
+│   │   ├── secret-scanner.ts   # Regex-based secret detection (AWS, GitHub, Stripe, JWT, PEM, DB URIs)
+│   │   ├── security-events.ts  # Security event logger + agent trust scoring
+│   │   ├── mcp-audit.ts        # MCP tool call auditing
+│   │   ├── agent-evals.ts      # Four-layer agent eval framework
+│   │   ├── agent-optimizer.ts  # Agent optimization engine
+│   │   ├── hook-profiles.ts    # Security strictness profiles (minimal/standard/strict)
+│   │   └── adapters/          # Framework adapters (openclaw, crewai, langgraph, autogen, claude-sdk, generic)
 │   └── store/index.ts         # Zustand state management
 └── .data/                     # Runtime data (SQLite DB, token logs)
 ```
@@ -166,7 +267,7 @@ mission-control/
 | Real-time | WebSocket + Server-Sent Events |
 | Auth | scrypt hashing, session tokens, RBAC |
 | Validation | Zod 4 |
-| Testing | Vitest + Playwright (148 E2E tests) |
+| Testing | Vitest (282 unit) + Playwright (295 E2E) |
 
 ## Authentication
 
@@ -211,7 +312,9 @@ All endpoints require authentication unless noted. Full reference below.
 | `POST` | `/api/agents` | operator | Register/update agent |
 | `GET` | `/api/agents/[id]` | viewer | Agent details |
 | `GET` | `/api/agents/[id]/attribution` | viewer | Self-scope attribution/audit/cost report (`?privileged=1` admin override) |
-| `POST` | `/api/agents/sync` | operator | Sync agents from openclaw.json |
+| `POST` | `/api/agents/sync` | operator | Sync agents from openclaw.json or local disk (`?source=local`) |
+| `POST` | `/api/agents/register` | viewer | Agent self-registration (idempotent, rate-limited) |
+| `GET/POST` | `/api/adapters` | viewer/operator | List adapters / Framework-agnostic agent action dispatch |
 | `GET/PUT` | `/api/agents/[id]/soul` | operator | Agent SOUL content (reads from workspace, writes to both) |
 | `GET/POST` | `/api/agents/comms` | operator | Agent inter-agent communication |
 | `POST` | `/api/agents/message` | operator | Send message to agent |
@@ -235,6 +338,19 @@ All endpoints require authentication unless noted. Full reference below.
   - `hours`: integer window `1..720` (default `24`)
   - `section`: comma-separated subset of `identity,audit,mutations,cost` (default all)
 
+<details>
+<summary><strong>Security & Evals</strong></summary>
+
+| Method | Path | Role | Description |
+|--------|------|------|-------------|
+| `GET` | `/api/security-audit` | admin | Security posture, events, trust scores, MCP audit (`?timeframe=day`) |
+| `GET` | `/api/security-scan` | admin | Static security configuration scan |
+| `GET` | `/api/agents/optimize` | operator | Agent optimization recommendations (`?agent=&hours=24`) |
+| `GET` | `/api/agents/evals` | operator | Agent eval results (`?agent=`, `?action=history&weeks=4`) |
+| `POST` | `/api/agents/evals` | operator | Trigger eval run (`action: 'run'`) or manage golden datasets (`action: 'golden-set'`) |
+
+</details>
+
 <details>
 <summary><strong>Monitoring</strong></summary>
 
@@ -259,6 +375,7 @@ All endpoints require authentication unless noted. Full reference below.
 | `GET/PUT` | `/api/settings` | admin | App settings |
 | `GET/PUT` | `/api/gateway-config` | admin | OpenClaw gateway config |
 | `GET/POST` | `/api/cron` | admin | Cron management |
+| `GET/POST` | `/api/onboarding` | viewer | Onboarding wizard state and step progression |
 
 </details>
 
@@ -297,7 +414,7 @@ All endpoints require authentication unless noted. Full reference below.
 </details>
 
 <details>
-<summary><strong>Super Admin (Workspace/Tenant Management)</strong></summary>
+<summary><strong>Workspace/Tenant Management</strong></summary>
 
 | Method | Path | Role | Description |
 |--------|------|------|-------------|
@@ -310,6 +427,23 @@ All endpoints require authentication unless noted. Full reference below.
 
 </details>
 
+<details>
+<summary><strong>Skills</strong></summary>
+
+| Method | Path | Role | Description |
+|--------|------|------|-------------|
+| `GET` | `/api/skills` | viewer | List skills (DB-backed with filesystem fallback) |
+| `GET` | `/api/skills?mode=content&source=…&name=…` | viewer | Read SKILL.md content with inline security report |
+| `GET` | `/api/skills?mode=check&source=…&name=…` | viewer | On-demand security scan |
+| `POST` | `/api/skills` | operator | Create skill |
+| `PUT` | `/api/skills` | operator | Update skill content |
+| `DELETE` | `/api/skills` | operator | Delete skill |
+| `GET` | `/api/skills/registry?source=…&q=…` | viewer | Search external registry (ClawdHub, skills.sh) |
+| `POST` | `/api/skills/registry` | admin | Install skill from registry |
+| `PUT` | `/api/skills/registry` | viewer | Security-check content without installing |
+
+</details>
+
 <details>
 <summary><strong>Direct CLI</strong></summary>
 
@@ -351,6 +485,8 @@ All endpoints require authentication unless noted. Full reference below.
 |--------|------|------|-------------|
 | `GET` | `/api/claude/sessions` | viewer | List discovered sessions (filter: `?active=1`, `?project=`) |
 | `POST` | `/api/claude/sessions` | operator | Trigger manual session scan |
+| `GET` | `/api/claude-tasks` | viewer | List Claude Code team tasks and configs (`?force=true` to bypass cache) |
+| `GET` | `/api/schedule-parse` | viewer | Parse natural language schedule (`?input=every+2+hours`) |
 
 </details>
 
@@ -402,15 +538,11 @@ See [`.env.example`](.env.example) for the complete list. Key variables:
 
 ### Workspace Creation Flow
 
-To add a new workspace/client instance in the UI:
+To add a new workspace/client instance, use the `/api/super/tenants` endpoint or the Workspaces panel (if enabled):
 
-1. Open `Workspaces` from the left navigation.
-2. Expand `Show Create Client Instance`.
-3. Fill tenant/workspace fields (`slug`, `display_name`, optional ports/gateway owner).
-4. Click `Create + Queue`.
-5. Approve/run the generated provisioning job in the same panel.
-
-`Workspaces` and `Super Admin` currently point to the same provisioning control plane.
+1. Provide tenant/workspace fields (`slug`, `display_name`, optional ports/gateway owner).
+2. The system queues a bootstrap provisioning job.
+3. Approve/run the provisioning job via `/api/super/provision-jobs/[id]/action`.
 
 ### Projects and Ticket Prefixes
 
@@ -529,8 +661,16 @@ See [open issues](https://github.com/builderz-labs/mission-control/issues) for p
 
 **Up next:**
 
+- [x] Workspace isolation for multi-team usage ([#75](https://github.com/builderz-labs/mission-control/issues/75))
+- [x] Framework adapter layer — multi-agent registration across OpenClaw, CrewAI, LangGraph, AutoGen, Claude SDK, and generic
+- [x] Self-update mechanism — admin-only one-click update with audit logging
+- [x] Multi-project task organization with per-project ticket prefixes
+- [x] Skills Hub — browse, install, and security-scan skills from ClawdHub and skills.sh registries
+- [x] Bidirectional skill sync — disk ↔ DB with SHA-256 change detection (60s scheduler)
+- [x] Local agent discovery — auto-detect agents from `~/.agents/`, `~/.codex/agents/`, `~/.claude/agents/`
+- [x] Natural language recurring tasks with cron-based template spawning
+- [x] Claude Code task bridge — read-only team task and config integration
 - [ ] Agent-agnostic gateway support — connect any orchestration framework (OpenClaw, ZeroClaw, OpenFang, NeoBot, IronClaw, etc.), not just OpenClaw
-- [ ] Workspace isolation for multi-team usage ([#75](https://github.com/builderz-labs/mission-control/issues/75))
 - [ ] **[Flight Deck](https://github.com/splitlabs/flight-deck)** — native desktop companion app (Tauri v2) with real PTY terminal grid, stall inbox with native OS notifications, and system tray HUD. Currently in private beta.
 - [ ] First-class per-agent cost breakdowns — dedicated panel with per-agent token usage and spend (currently derivable from per-session data)
 - [ ] OAuth approval UI improvements
@@ -544,6 +684,16 @@ Contributions are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for setup inst
 
 To report a vulnerability, see [SECURITY.md](SECURITY.md).
 
+## ❤️ Support the Project
+
+If you find this project useful, consider supporting my open-source work.
+
+[![Buy Me A Coffee](https://img.shields.io/badge/Buy%20Me%20a%20Coffee-support-orange?logo=buymeacoffee)](https://buymeacoffee.com/nyk_builderz)
+
+**Solana donations**
+
+`BYLu8XD8hGDUtdRBWpGWu5HKoiPrWqCxYFSh4oxXuvPg`
+
 ## License
 
 [MIT](LICENSE) © 2026 [Builderz Labs](https://github.com/builderz-labs)

SECURITY.md

@@ -27,5 +27,42 @@ Mission Control handles authentication credentials and API keys. When deploying:
 - Always set strong values for `AUTH_PASS` and `API_KEY`.
 - Use `MC_ALLOWED_HOSTS` to restrict network access in production.
 - Keep `.env` files out of version control (already in `.gitignore`).
-- Enable `MC_COOKIE_SECURE=true` when serving over HTTPS.
+- Enable `MC_COOKIE_SECURE=1` when serving over HTTPS.
 - Review the [Environment Variables](README.md#environment-variables) section for all security-relevant configuration.
+
+## Hardening Checklist
+
+Run `bash scripts/security-audit.sh` to check your deployment automatically.
+
+### Credentials
+- [ ] `AUTH_PASS` is a strong, unique password (12+ characters)
+- [ ] `API_KEY` is a random hex string (not the default)
+- [ ] `AUTH_SECRET` is a random string
+- [ ] `.env` file permissions are `600` (owner read/write only)
+
+### Network
+- [ ] `MC_ALLOWED_HOSTS` is configured (not `MC_ALLOW_ANY_HOST=1`)
+- [ ] Dashboard is behind a reverse proxy with TLS (Caddy, nginx, Tailscale)
+- [ ] `MC_ENABLE_HSTS=1` is set for HTTPS deployments
+- [ ] `MC_COOKIE_SECURE=1` is set for HTTPS deployments
+- [ ] `MC_COOKIE_SAMESITE=strict`
+
+### Docker (if applicable)
+- [ ] Use the hardened compose overlay: `docker compose -f docker-compose.yml -f docker-compose.hardened.yml up`
+- [ ] Container runs as non-root user (default: `nextjs`, UID 1001)
+- [ ] Read-only filesystem with tmpfs for temp dirs
+- [ ] All Linux capabilities dropped except `NET_BIND_SERVICE`
+- [ ] `no-new-privileges` security option enabled
+- [ ] Log rotation configured (max-size, max-file)
+
+### OpenClaw Gateway
+- [ ] Gateway bound to localhost (`OPENCLAW_GATEWAY_HOST=127.0.0.1`)
+- [ ] Gateway token configured (`OPENCLAW_GATEWAY_TOKEN`)
+- [ ] Gateway token NOT exposed via `NEXT_PUBLIC_*` variables
+
+### Monitoring
+- [ ] Rate limiting is active (`MC_DISABLE_RATE_LIMIT` is NOT set)
+- [ ] Audit logging is enabled with appropriate retention
+- [ ] Regular database backups configured
+
+See [docs/SECURITY-HARDENING.md](docs/SECURITY-HARDENING.md) for the full hardening guide.

SKILL.md

@@ -0,0 +1,278 @@
+---
+name: mission-control
+description: "Interact with Mission Control — AI agent orchestration dashboard. Use when registering agents, managing tasks, syncing skills, or querying agent/task status via MC APIs."
+---
+
+# Mission Control Agent Skill
+
+Mission Control (MC) is an AI agent orchestration dashboard with real-time SSE/WebSocket, a skill registry, framework adapters, and RBAC. This skill teaches agents how to interact with MC APIs programmatically.
+
+## Quick Start
+
+**Base URL:** `http://localhost:3000` (default Next.js dev) or your deployed host.
+
+**Auth header:** `x-api-key: <your-api-key>`
+
+**Register + heartbeat in two calls:**
+
+```bash
+# 1. Register
+curl -X POST http://localhost:3000/api/adapters \
+  -H "Content-Type: application/json" \
+  -H "x-api-key: $MC_API_KEY" \
+  -d '{
+    "framework": "generic",
+    "action": "register",
+    "payload": { "agentId": "my-agent-01", "name": "My Agent" }
+  }'
+
+# 2. Heartbeat (repeat every 5 minutes)
+curl -X POST http://localhost:3000/api/adapters \
+  -H "Content-Type: application/json" \
+  -H "x-api-key: $MC_API_KEY" \
+  -d '{
+    "framework": "generic",
+    "action": "heartbeat",
+    "payload": { "agentId": "my-agent-01", "status": "online" }
+  }'
+```
+
+## Authentication
+
+MC supports two auth methods:
+
+| Method | Header | Use Case |
+|--------|--------|----------|
+| API Key | `x-api-key: <key>` or `Authorization: Bearer <key>` | Agents, scripts, CI/CD |
+| Session cookie | `Cookie: mc-session=<token>` | Browser UI |
+
+**Roles (hierarchical):** `viewer` < `operator` < `admin`
+
+- **viewer** — Read-only access (GET endpoints)
+- **operator** — Create/update agents, tasks, skills, use adapters
+- **admin** — Full access including user management
+
+API key auth grants `admin` role by default. The key is set via `API_KEY` env var or the `security.api_key` DB setting.
+
+Agents can identify themselves with the optional `X-Agent-Name` header for attribution in audit logs.
+
+## Agent Lifecycle
+
+```
+register → heartbeat (5m interval) → fetch assignments → report task status → disconnect
+```
+
+All lifecycle actions go through the adapter protocol (`POST /api/adapters`).
+
+### 1. Register
+
+```json
+{
+  "framework": "generic",
+  "action": "register",
+  "payload": {
+    "agentId": "my-agent-01",
+    "name": "My Agent",
+    "metadata": { "version": "1.0", "capabilities": ["code", "review"] }
+  }
+}
+```
+
+### 2. Heartbeat
+
+Send every ~5 minutes to stay marked as online.
+
+```json
+{
+  "framework": "generic",
+  "action": "heartbeat",
+  "payload": {
+    "agentId": "my-agent-01",
+    "status": "online",
+    "metrics": { "tasks_completed": 5, "uptime_seconds": 3600 }
+  }
+}
+```
+
+### 3. Fetch Assignments
+
+Returns up to 5 pending tasks sorted by priority (critical → low), then due date.
+
+```json
+{
+  "framework": "generic",
+  "action": "assignments",
+  "payload": { "agentId": "my-agent-01" }
+}
+```
+
+**Response:**
+
+```json
+{
+  "assignments": [
+    { "taskId": "42", "description": "Fix login bug\nUsers cannot log in with SSO", "priority": 1 }
+  ],
+  "framework": "generic"
+}
+```
+
+### 4. Report Task Progress
+
+```json
+{
+  "framework": "generic",
+  "action": "report",
+  "payload": {
+    "taskId": "42",
+    "agentId": "my-agent-01",
+    "progress": 75,
+    "status": "in_progress",
+    "output": "Fixed SSO handler, running tests..."
+  }
+}
+```
+
+`status` values: `in_progress`, `done`, `failed`, `blocked`
+
+### 5. Disconnect
+
+```json
+{
+  "framework": "generic",
+  "action": "disconnect",
+  "payload": { "agentId": "my-agent-01" }
+}
+```
+
+## Core API Reference
+
+### Agents — `/api/agents`
+
+| Method | Min Role | Description |
+|--------|----------|-------------|
+| GET | viewer | List agents. Query: `?status=online&role=dev&limit=50&offset=0` |
+| POST | operator | Create agent. Body: `{ name, role, status?, config?, template?, session_key?, soul_content? }` |
+| PUT | operator | Update agent. Body: `{ name, status?, role?, config?, session_key?, soul_content?, last_activity? }` |
+
+**GET response shape:**
+
+```json
+{
+  "agents": [{
+    "id": 1, "name": "scout", "role": "researcher", "status": "online",
+    "config": {}, "taskStats": { "total": 10, "assigned": 2, "in_progress": 1, "completed": 7 }
+  }],
+  "total": 1, "page": 1, "limit": 50
+}
+```
+
+### Tasks — `/api/tasks`
+
+| Method | Min Role | Description |
+|--------|----------|-------------|
+| GET | viewer | List tasks. Query: `?status=in_progress&assigned_to=scout&priority=high&project_id=1&limit=50&offset=0` |
+| POST | operator | Create task. Body: `{ title, description?, status?, priority?, assigned_to?, project_id?, tags?, metadata?, due_date?, estimated_hours? }` |
+| PUT | operator | Bulk status update. Body: `{ tasks: [{ id, status }] }` |
+
+**Priority values:** `critical`, `high`, `medium`, `low`
+
+**Status values:** `inbox`, `assigned`, `in_progress`, `review`, `done`, `failed`, `blocked`, `cancelled`
+
+Note: Moving a task to `done` via PUT requires an Aegis quality review approval.
+
+**POST response:**
+
+```json
+{
+  "task": {
+    "id": 42, "title": "Fix login bug", "status": "assigned",
+    "priority": "high", "assigned_to": "scout", "ticket_ref": "GEN-001",
+    "tags": ["bug"], "metadata": {}
+  }
+}
+```
+
+### Skills — `/api/skills`
+
+| Method | Min Role | Description |
+|--------|----------|-------------|
+| GET | viewer | List all skills across roots |
+| GET `?mode=content&source=...&name=...` | viewer | Read a skill's SKILL.md content |
+| GET `?mode=check&source=...&name=...` | viewer | Run security check on a skill |
+| POST | operator | Create/upsert skill. Body: `{ source, name, content }` |
+| PUT | operator | Update skill content. Body: `{ source, name, content }` |
+| DELETE `?source=...&name=...` | operator | Delete a skill |
+
+**Skill sources:** `user-agents`, `user-codex`, `project-agents`, `project-codex`, `openclaw`
+
+### Status — `/api/status`
+
+| Action | Min Role | Description |
+|--------|----------|-------------|
+| GET `?action=overview` | viewer | System status (uptime, memory, disk, sessions) |
+| GET `?action=dashboard` | viewer | Aggregated dashboard data with DB stats |
+| GET `?action=gateway` | viewer | Gateway process status and port check |
+| GET `?action=models` | viewer | Available AI models (catalog + local Ollama) |
+| GET `?action=health` | viewer | Health checks (gateway, disk, memory) |
+| GET `?action=capabilities` | viewer | Feature flags: gateway reachable, Claude home, subscriptions |
+
+### Adapters — `/api/adapters`
+
+| Method | Min Role | Description |
+|--------|----------|-------------|
+| GET | viewer | List available framework adapter names |
+| POST | operator | Execute adapter action (see Agent Lifecycle above) |
+
+## Framework Adapter Protocol
+
+All agent lifecycle operations use a single endpoint:
+
+```
+POST /api/adapters
+Content-Type: application/json
+x-api-key: <key>
+
+{
+  "framework": "<adapter-name>",
+  "action": "<action>",
+  "payload": { ... }
+}
+```
+
+**Available frameworks:** `generic`, `openclaw`, `crewai`, `langgraph`, `autogen`, `claude-sdk`
+
+**Available actions:** `register`, `heartbeat`, `report`, `assignments`, `disconnect`
+
+All adapters implement the same `FrameworkAdapter` interface — choose the one matching your agent framework, or use `generic` as a universal fallback.
+
+**Payload shapes by action:**
+
+| Action | Required Fields | Optional Fields |
+|--------|----------------|-----------------|
+| `register` | `agentId`, `name` | `metadata` |
+| `heartbeat` | `agentId` | `status`, `metrics` |
+| `report` | `taskId`, `agentId` | `progress`, `status`, `output` |
+| `assignments` | `agentId` | — |
+| `disconnect` | `agentId` | — |
+
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `API_KEY` | — | API key for agent/script authentication |
+| `OPENCLAW_GATEWAY_HOST` | `127.0.0.1` | Gateway host address |
+| `OPENCLAW_GATEWAY_PORT` | `18789` | Gateway port |
+| `MISSION_CONTROL_DB_PATH` | `.data/mission-control.db` | SQLite database path |
+| `OPENCLAW_STATE_DIR` | `~/.openclaw` | OpenClaw state directory |
+| `OPENCLAW_CONFIG_PATH` | `<state-dir>/openclaw.json` | Gateway config file path |
+| `MC_CLAUDE_HOME` | `~/.claude` | Claude home directory |
+
+## Real-Time Events
+
+MC broadcasts events via SSE (`/api/events`) and WebSocket. Key event types:
+
+- `agent.created`, `agent.updated`, `agent.status_changed`
+- `task.created`, `task.updated`, `task.status_changed`
+
+Subscribe to SSE for live dashboard updates when building integrations.

docker-compose.hardened.yml

@@ -0,0 +1,21 @@
+# Production hardening overlay
+# Usage: docker compose -f docker-compose.yml -f docker-compose.hardened.yml up -d
+services:
+  mission-control:
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+    environment:
+      - MC_ALLOWED_HOSTS=localhost,127.0.0.1
+      - MC_COOKIE_SECURE=1
+      - MC_COOKIE_SAMESITE=strict
+      - MC_ENABLE_HSTS=1
+    networks:
+      mc-internal:
+
+networks:
+  mc-internal:
+    driver: bridge
+    internal: true

docker-compose.yml

@@ -11,7 +11,29 @@ services:
         required: false
     volumes:
       - mc-data:/app/.data
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /app/.next/cache
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+    security_opt:
+      - no-new-privileges:true
+    pids_limit: 256
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: '1.0'
+    networks:
+      - mc-net
     restart: unless-stopped
 
 volumes:
   mc-data:
+
+networks:
+  mc-net:
+    driver: bridge

docs/LANDING-PAGE-HANDOFF.md

@@ -0,0 +1,248 @@
+# Mission Control — Landing Page Handoff
+
+> Last updated: 2026-03-07 | Version: 1.3.0 | Branch: `fix/refactor` (bb5029e)
+
+This document contains all copy, stats, features, and structure needed to build or update the Mission Control landing page. Everything below reflects the current state of the shipped product.
+
+---
+
+## Hero Section
+
+**Headline:**
+The Open-Source Dashboard for AI Agent Orchestration
+
+**Subheadline:**
+Manage agent fleets, track tasks, monitor costs, and orchestrate workflows — all from a single pane of glass. Zero external dependencies. One `pnpm start` to run.
+
+**CTA:** `Get Started` -> GitHub repo | `Live Demo` -> demo instance (if available)
+
+**Badges:**
+- MIT License
+- Next.js 16
+- React 19
+- TypeScript 5.7
+- SQLite (WAL mode)
+- 165 unit tests (Vitest)
+- 295 E2E tests (Playwright)
+
+**Hero image:** `docs/mission-control.jpg` (current dashboard screenshot — should be refreshed with latest UI)
+
+---
+
+## Key Stats (above the fold)
+
+| Stat | Value |
+|------|-------|
+| Panels | 31 feature panels |
+| API routes | 98 REST endpoints |
+| Schema migrations | 36 |
+| Test coverage | 165 unit + 295 E2E |
+| Total commits | 239+ |
+| External dependencies required | 0 (SQLite only, no Redis/Postgres/Docker) |
+| Auth methods | 3 (session, API key, Google OAuth) |
+| Framework adapters | 6 (OpenClaw, CrewAI, LangGraph, AutoGen, Claude SDK, Generic) |
+
+---
+
+## Feature Grid
+
+### 1. Task Board (Kanban)
+Six-column kanban (Inbox > Assigned > In Progress > Review > Quality Review > Done) with drag-and-drop, priority levels, assignments, threaded comments, and inline sub-agent spawning. Multi-project support with per-project ticket prefixes (e.g. `PA-001`).
+
+### 2. Agent Management
+Full lifecycle — register, heartbeat, wake, retire. Redesigned agent detail modal with compact overview, inline model selector, editable sub-agent configuration, and SOUL personality system. Local agent discovery from `~/.agents/`, `~/.codex/agents/`, `~/.claude/agents/`.
+
+### 3. Real-Time Monitoring
+Live activity feed, session inspector, and log viewer with filtering. WebSocket + SSE push updates with smart polling that pauses when you're away. Gateway connection state with live dot indicators.
+
+### 4. Cost Tracking
+Token usage dashboard with per-model breakdowns, trend charts, and cost analysis. Per-agent cost panels with session-level granularity.
+
+### 5. Quality Gates (Aegis)
+Built-in review system that blocks task completion without sign-off. Automated Aegis quality review — scheduler polls review tasks and approves/rejects based on configurable criteria.
+
+### 6. Recurring Tasks
+Natural language scheduling — "every morning at 9am", "every 2 hours". Zero-dependency schedule parser converts to cron. Template-clone pattern spawns dated child tasks (e.g. "Daily Report — Mar 07").
+
+### 7. Task Dispatch
+Scheduler polls assigned tasks and runs agents via CLI. Dispatched tasks link to agent sessions for full traceability.
+
+### 8. Skills Hub
+Browse, install, and manage agent skills from local directories and external registries (ClawdHub, skills.sh). Built-in security scanner checks for prompt injection, credential leaks, data exfiltration, and obfuscated content. Bidirectional disk-DB sync with SHA-256 change detection.
+
+### 9. Claude Code Integration
+- **Session tracking** — auto-discovers sessions from `~/.claude/projects/`, extracts tokens, model info, costs
+- **Task bridge** — read-only integration surfaces Claude Code team tasks and configs
+- **Direct CLI** — connect Claude Code, Codex, or any CLI directly without a gateway
+
+### 10. Memory Knowledge Graph
+Visual knowledge graph for agent memory in gateway mode. Interactive node-edge visualization of agent memory relationships.
+
+### 11. Agent Messaging (Comms)
+Session-threaded inter-agent communication via comms API (`a2a:*`, `coord:*`, `session:*`). Coordinator inbox support with runtime tool-call visibility.
+
+### 12. Multi-Gateway
+Connect to multiple agent gateways simultaneously. OS-level gateway discovery (systemd, Tailscale Serve). Auto-connect with health probes.
+
+### 13. Framework Adapters
+Built-in adapter layer for multi-agent registration: OpenClaw, CrewAI, LangGraph, AutoGen, Claude SDK, and generic fallback. Each normalizes registration, heartbeats, and task reporting.
+
+### 14. Background Automation
+Scheduled tasks for DB backups, stale record cleanup, agent heartbeat monitoring, recurring task spawning, and automated quality reviews.
+
+### 15. Webhooks & Alerts
+Outbound webhooks with delivery history, retry with exponential backoff, circuit breaker, and HMAC-SHA256 signature verification. Configurable alert rules with cooldowns.
+
+### 16. GitHub Sync
+Bidirectional GitHub Issues sync with label and assignee mapping. Full parity sync implementation.
+
+### 17. Security
+- Ed25519 device identity for gateway handshake
+- scrypt password hashing
+- RBAC (viewer, operator, admin)
+- CSRF origin checks
+- CSP headers
+- Rate limiting with trusted proxy support
+- Per-agent rate limiting with `x-agent-name` identity-based quotas
+- Skill security scanner
+
+### 18. Self-Update
+GitHub release check with banner notification. One-click admin update (git pull, pnpm install, pnpm build). Dirty working trees rejected. All updates audit-logged.
+
+### 19. Audit Trail
+Complete action type coverage with grouped filters. Full audit history for compliance and debugging.
+
+### 20. Pipelines & Workflows
+Pipeline orchestration with workflow templates. Start, monitor, and manage multi-step agent workflows.
+
+---
+
+## "How It Works" Section
+
+```
+1. Clone & Start       git clone ... && pnpm install && pnpm dev
+2. Agents Register     Via gateway, CLI, or self-registration endpoint
+3. Tasks Flow          Kanban board with automatic dispatch and quality gates
+4. Monitor & Scale     Real-time dashboards, cost tracking, recurring automation
+```
+
+---
+
+## Tech Stack Section
+
+| Layer | Technology |
+|-------|------------|
+| Framework | Next.js 16 (App Router) |
+| UI | React 19, Tailwind CSS 3.4 |
+| Language | TypeScript 5.7 |
+| Database | SQLite via better-sqlite3 (WAL mode) |
+| State | Zustand 5 |
+| Charts | Recharts 3 |
+| Real-time | WebSocket + Server-Sent Events |
+| Auth | scrypt hashing, session tokens, RBAC |
+| Validation | Zod 4 |
+| Testing | Vitest + Playwright |
+
+---
+
+## Auth & Access Section
+
+**Three auth methods:**
+1. Session cookie — username/password login (7-day expiry)
+2. API key — `x-api-key` header for headless/agent access
+3. Google Sign-In — OAuth with admin approval workflow
+
+**Three roles:**
+| Role | Access |
+|------|--------|
+| Viewer | Read-only dashboard access |
+| Operator | Read + write (tasks, agents, chat, spawn) |
+| Admin | Full access (users, settings, system ops, webhooks) |
+
+---
+
+## Architecture Diagram (simplified)
+
+```
+mission-control/
+  src/
+    app/api/          98 REST API routes
+    components/
+      panels/         31 feature panels
+      dashboard/      Overview dashboard
+      chat/           Agent chat workspace
+      layout/         NavRail, HeaderBar, LiveFeed
+    lib/
+      auth.ts         Session + API key + Google OAuth
+      db.ts           SQLite (WAL mode, 36 migrations)
+      scheduler.ts    Background automation
+      websocket.ts    Gateway WebSocket client
+      adapters/       6 framework adapters
+  .data/              Runtime SQLite DB + token logs
+```
+
+---
+
+## Quick Start Section
+
+```bash
+git clone https://github.com/builderz-labs/mission-control.git
+cd mission-control
+pnpm install
+cp .env.example .env    # edit with your values
+pnpm dev                # http://localhost:3000
+```
+
+Initial login seeded from `AUTH_USER` / `AUTH_PASS` on first run.
+
+---
+
+## Social Proof / Traction
+
+- 239+ commits of active development
+- Open-source MIT license
+- Used in production for multi-agent orchestration
+- Supports 6 agent frameworks out of the box
+- Zero-config SQLite — no Docker, Redis, or Postgres required
+
+---
+
+## Roadmap / Coming Soon
+
+- Agent-agnostic gateway support (OpenClaw, ZeroClaw, OpenFang, NeoBot, IronClaw, etc.)
+- **Flight Deck** — native desktop companion app (Tauri v2) with real PTY terminal grid and system tray HUD (private beta)
+- First-class per-agent cost breakdowns panel
+- OAuth approval UI improvements
+- API token rotation UI
+
+---
+
+## Recent Changelog (latest 20 notable changes)
+
+1. **Memory knowledge graph** — interactive visualization for agent memory in gateway mode
+2. **Agent detail modal redesign** — minimal header, compact overview, inline model selector
+3. **Spawn/task unification** — spawn moved inline to task board, sub-agent config to agent detail
+4. **Agent comms hardening** — session-threaded messaging with runtime tool visibility
+5. **Audit trail** — complete action type coverage with grouped filters
+6. **OS-level gateway discovery** — detect gateways via systemd and Tailscale Serve
+7. **GitHub sync** — full parity sync with loading state fixes
+8. **Automated Aegis quality review** — scheduler-driven approve/reject
+9. **Task dispatch** — scheduler polls and runs agents via CLI with session linking
+10. **Natural language recurring tasks** — zero-dep schedule parser + template spawning
+11. **Claude Code task bridge** — read-only team task and config integration
+12. **Agent card redesign** — gateway badge tooltips, ws:// localhost support
+13. **Skills Hub** — registry integration, bidirectional sync, security scanner
+14. **Per-agent rate limiting** — identity-based quotas via `x-agent-name`
+15. **Agent self-registration** — autonomous onboarding endpoint
+16. **Framework adapters** — OpenClaw, CrewAI, LangGraph, AutoGen, Claude SDK, generic
+17. **Self-update mechanism** — one-click update with audit logging
+18. **Local agent discovery** — auto-detect from ~/.agents, ~/.codex, ~/.claude
+19. **Chat workspace** — embedded chat with local session continuation
+20. **Ed25519 device identity** — secure gateway challenge-response handshake
+
+---
+
+## Footer
+
+MIT License | 2026 Builderz Labs
+GitHub: github.com/builderz-labs/mission-control

docs/SECURITY-HARDENING.md

@@ -0,0 +1,277 @@
+# Security Hardening Guide
+
+Comprehensive security hardening guide for Mission Control and OpenClaw Gateway deployments.
+
+## Quick Assessment
+
+Run the automated security audit:
+
+```bash
+bash scripts/security-audit.sh        # Check .env and configuration
+bash scripts/station-doctor.sh         # Check runtime health
+```
+
+Or use the diagnostics API (admin only):
+
+```bash
+curl -H "x-api-key: $API_KEY" http://localhost:3000/api/diagnostics
+curl -H "x-api-key: $API_KEY" http://localhost:3000/api/security-audit?timeframe=day
+```
+
+The `posture.score` field (0-100) gives a quick posture assessment. The **Security Audit Panel** (`/security` in the dashboard) provides a full real-time view with timeline charts, agent trust scores, and eval results.
+
+---
+
+## Mission Control Hardening
+
+### 1. Credentials
+
+**Generate strong credentials** using the included script:
+
+```bash
+bash scripts/generate-env.sh           # Generates .env with random secrets
+chmod 600 .env                          # Lock down permissions
+```
+
+The installer (`install.sh`) does this automatically. If you set up manually, ensure:
+
+- `AUTH_PASS` is 12+ characters, not a dictionary word
+- `API_KEY` is 32+ hex characters
+- `AUTH_SECRET` is a unique random string
+- `.env` file permissions are `600`
+
+### 2. Network Access Control
+
+Mission Control uses a host allowlist in production:
+
+```env
+# Only allow connections from these hosts (comma-separated)
+MC_ALLOWED_HOSTS=localhost,127.0.0.1
+
+# For Tailscale: MC_ALLOWED_HOSTS=localhost,127.0.0.1,100.*
+# For a domain: MC_ALLOWED_HOSTS=mc.example.com,localhost
+
+# NEVER set this in production:
+# MC_ALLOW_ANY_HOST=1
+```
+
+Deploy behind a reverse proxy with TLS (Caddy, nginx, Tailscale Funnel) for any network-accessible deployment.
+
+### 3. HTTPS & Cookies
+
+For HTTPS deployments:
+
+```env
+MC_COOKIE_SECURE=1           # Cookies only sent over HTTPS
+MC_COOKIE_SAMESITE=strict    # CSRF protection
+MC_ENABLE_HSTS=1             # HTTP Strict Transport Security
+```
+
+### 4. Rate Limiting
+
+Rate limiting is enabled by default:
+
+| Endpoint Type | Limit |
+|--------------|-------|
+| Login | 5 attempts/min (always active) |
+| Mutations | 60 requests/min |
+| Reads | 120 requests/min |
+| Heavy operations | 10 requests/min |
+| Agent heartbeat | 30/min per agent |
+| Agent task polling | 20/min per agent |
+
+Never set `MC_DISABLE_RATE_LIMIT=1` in production.
+
+### 5. Docker Hardening
+
+Use the production compose overlay:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.hardened.yml up -d
+```
+
+This enables:
+- **Read-only filesystem** with tmpfs for `/tmp` and `/app/.next/cache`
+- **Capability dropping** — all Linux capabilities dropped, only `NET_BIND_SERVICE` retained
+- **No new privileges** — prevents privilege escalation
+- **PID limit** — prevents fork bombs
+- **Memory/CPU limits** — prevents resource exhaustion
+- **Log rotation** — prevents disk filling from verbose logging
+- **HSTS, secure cookies** — forced via environment
+
+### 6. Security Headers
+
+Mission Control sets these headers automatically:
+
+| Header | Value |
+|--------|-------|
+| `Content-Security-Policy` | `default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-...'` |
+| `X-Frame-Options` | `DENY` |
+| `X-Content-Type-Options` | `nosniff` |
+| `Referrer-Policy` | `strict-origin-when-cross-origin` |
+| `Permissions-Policy` | `camera=(), microphone=(), geolocation=()` |
+| `X-Request-Id` | Unique per-request UUID for log correlation |
+| `Strict-Transport-Security` | Set when `MC_ENABLE_HSTS=1` |
+
+### 7. Audit Logging
+
+All security-relevant events are logged to the audit trail:
+
+- Login attempts (success and failure)
+- Task mutations
+- User management actions
+- Settings changes
+- Update operations
+
+Additionally, the **security event system** automatically logs:
+
+- Auth failures (invalid passwords, expired tokens, access denials)
+- Rate limit hits (429 responses with IP/agent correlation)
+- Injection attempts (prompt injection, command injection, exfiltration)
+- Secret exposures (AWS keys, GitHub tokens, Stripe keys, JWTs, private keys detected in agent messages)
+- MCP tool calls (agent, tool, duration, success/failure)
+
+These events feed into the **Security Audit Panel** (`/security`) which provides:
+
+- **Posture score** (0-100) with level badges (hardened/secure/needs-attention/at-risk)
+- **Agent trust scores** — weighted calculation based on auth failures, injection attempts, and task success rates
+- **MCP call audit** — tool-use frequency, success/failure rates per agent
+- **Timeline visualization** — event density over selected timeframe
+
+Configure retention: `MC_RETAIN_AUDIT_DAYS=365` (default: 1 year).
+
+### 8. Hook Profiles
+
+Security strictness is tunable via hook profiles in Settings > Security Profiles:
+
+| Profile | Secret Scanning | MCP Auditing | Block on Secrets | Rate Limit Multiplier |
+|---------|----------------|--------------|------------------|----------------------|
+| **minimal** | Off | Off | No | 2x (relaxed) |
+| **standard** (default) | On | On | No | 1x |
+| **strict** | On | On | Yes (blocks messages) | 0.5x (tighter) |
+
+Set via the Settings panel or the `hook_profile` key in the settings API.
+
+### 9. Agent Eval Framework
+
+The four-layer eval stack helps detect degrading agent quality:
+
+- **Output evals** — score task completion against golden datasets
+- **Trace evals** — convergence scoring (>3.0 indicates looping behavior)
+- **Component evals** — tool reliability from MCP call logs (p50/p95/p99 latency)
+- **Drift detection** — 10% threshold vs 4-week rolling baseline triggers alerts
+
+Access via `/api/agents/evals` or the Security Audit Panel's eval section.
+
+### 10. Data Retention
+
+```env
+MC_RETAIN_ACTIVITIES_DAYS=90       # Activity feed
+MC_RETAIN_AUDIT_DAYS=365           # Security audit trail
+MC_RETAIN_LOGS_DAYS=30             # Application logs
+MC_RETAIN_NOTIFICATIONS_DAYS=60    # Notifications
+MC_RETAIN_PIPELINE_RUNS_DAYS=90    # Pipeline logs
+MC_RETAIN_TOKEN_USAGE_DAYS=90      # Token/cost records
+MC_RETAIN_GATEWAY_SESSIONS_DAYS=90 # Gateway session history
+```
+
+---
+
+## OpenClaw Gateway Hardening
+
+Mission Control acts as the mothership for your OpenClaw fleet. The installer automatically checks and repairs common OpenClaw configuration issues.
+
+### 1. Network Security
+
+- **Never expose the gateway publicly.** It runs on port 18789 by default.
+- **Bind to localhost:** Set `gateway.bind: "loopback"` in `openclaw.json`.
+- **Use SSH tunneling or Tailscale** for remote access.
+- **Docker users:** Be aware that Docker can bypass UFW rules. Use `DOCKER-USER` chain rules.
+
+### 2. Authentication
+
+- **Always enable gateway auth** with a strong random token.
+- Generate: `openclaw doctor --generate-gateway-token`
+- Store in `OPENCLAW_GATEWAY_TOKEN` env var (never in `NEXT_PUBLIC_*` variables).
+- Rotate regularly.
+
+### 3. Hardened Gateway Configuration
+
+```json
+{
+  "gateway": {
+    "mode": "local",
+    "bind": "loopback",
+    "auth": {
+      "mode": "token",
+      "token": "replace-with-long-random-token"
+    }
+  },
+  "session": {
+    "dmScope": "per-channel-peer"
+  },
+  "tools": {
+    "profile": "messaging",
+    "deny": ["group:automation", "group:runtime", "group:fs", "sessions_spawn", "sessions_send"],
+    "fs": { "workspaceOnly": true },
+    "exec": { "security": "deny", "ask": "always" }
+  },
+  "elevated": { "enabled": false }
+}
+```
+
+### 4. File Permissions
+
+```bash
+chmod 700 ~/.openclaw
+chmod 600 ~/.openclaw/openclaw.json
+chmod 600 ~/.openclaw/credentials/*
+```
+
+### 5. Tool Security
+
+- Apply the principle of least privilege — only grant tools the agent needs.
+- Audit third-party skills before installing (Mission Control's Skills Hub runs automatic security scans).
+- Run agents processing untrusted content in a sandbox with a minimal toolset.
+
+### 6. Monitoring
+
+- Enable comprehensive logging: `logging.redactSensitive: "tools"`
+- Store logs separately where agents cannot modify them.
+- Use Mission Control's diagnostics API to monitor gateway health.
+- Have an incident response plan: stop gateway, revoke API keys, review audit logs.
+
+### 7. Known CVEs
+
+Keep OpenClaw updated. Notable past vulnerabilities:
+
+| CVE | Severity | Description | Fixed In |
+|-----|----------|-------------|----------|
+| CVE-2026-25253 | Critical | RCE via Control UI token hijack | v2026.1.29 |
+| CVE-2026-26327 | High | Auth bypass via gateway spoofing | v2026.2.25 |
+| CVE-2026-26322 | High | SSRF | v2026.2.25 |
+| CVE-2026-26329 | High | Path traversal | v2026.2.25 |
+| CVE-2026-26319 | Medium | Missing webhook auth | v2026.2.25 |
+
+---
+
+## Deployment Architecture
+
+For production, the recommended architecture is:
+
+```
+Internet
+  |
+[Reverse Proxy (Caddy/nginx) + TLS]
+  |
+[Mission Control :3000] ---- [SQLite .data/]
+  |
+[OpenClaw Gateway :18789 (localhost only)]
+  |
+[Agent Workspaces]
+```
+
+- Reverse proxy handles TLS termination, rate limiting, and access control
+- Mission Control listens on localhost or a private network
+- OpenClaw Gateway is bound to loopback only
+- Agent workspaces are isolated per-agent directories

docs/deployment.md

@@ -48,6 +48,32 @@ PORT=3000 pnpm start
 
 **Important:** The production build bundles platform-specific native binaries. You must run `pnpm install` and `pnpm build` on the same OS and architecture as the target server. A build created on macOS will not work on Linux.
 
+## Production (Standalone)
+
+Use this for bare-metal deployments that run Next's standalone server directly.
+This path is preferred over ad hoc `node .next/standalone/server.js` because it
+syncs `.next/static` and `public/` into the standalone bundle before launch.
+
+```bash
+pnpm install --frozen-lockfile
+pnpm build
+pnpm start:standalone
+```
+
+For a full in-place update on the target host:
+
+```bash
+BRANCH=fix/refactor PORT=3000 pnpm deploy:standalone
+```
+
+What `deploy:standalone` does:
+- fetches and fast-forwards the requested branch
+- reinstalls dependencies with the lockfile
+- rebuilds from a clean `.next/`
+- stops the old process bound to the target port
+- starts the standalone server through `scripts/start-standalone.sh`
+- verifies that the rendered login page references a CSS asset and that the CSS is served as `text/css`
+
 ## Production (Docker)
 
 ```bash

docs/plans/2026-03-10-onboarding-walkthrough-hardening.md

@@ -0,0 +1,31 @@
+# Onboarding + Walkthrough hardening plan
+
+Base branch: `fix/refactor`
+Working branch: `fix/refactor-onboarding-walkthrough`
+
+## Goals
+- Verify current onboarding and walkthrough flows are functional.
+- Fix edge cases for first-run, skip, replay, and recovery states.
+- Improve UX discoverability of walkthrough entry points.
+- Add regression tests to keep flows stable.
+
+## Phase 1: audit and test map
+1. Identify current onboarding/walkthrough code paths.
+2. Document triggers, persistence flags, and routing.
+3. Add failing tests for first-run, skip, replay, and already-seen states.
+
+## Phase 2: implementation hardening
+1. Fix state transitions and persistence updates.
+2. Ensure walkthrough can be reopened from primary UI.
+3. Add visible hint/help entry to improve discoverability.
+4. Handle corrupted or partial onboarding state safely.
+
+## Phase 3: verification
+1. Run targeted tests for onboarding/walkthrough.
+2. Run full project checks.
+3. Validate end-to-end flow manually in local dev.
+
+## Deliverables
+- Code changes in onboarding/walkthrough modules
+- Automated tests covering key onboarding paths
+- Updated docs/help text for walkthrough discoverability

install.sh

@@ -0,0 +1,429 @@
+#!/usr/bin/env bash
+# Mission Control — One-Command Installer
+# The mothership for your OpenClaw fleet.
+#
+# Usage:
+#   curl -fsSL https://raw.githubusercontent.com/builderz-labs/mission-control/main/install.sh | bash
+#   # or
+#   bash install.sh [--docker|--local] [--port PORT] [--data-dir DIR]
+#
+# Installs Mission Control and optionally repairs/configures OpenClaw.
+
+set -euo pipefail
+
+# ── Defaults ──────────────────────────────────────────────────────────────────
+MC_PORT="${MC_PORT:-3000}"
+MC_DATA_DIR=""
+DEPLOY_MODE=""
+SKIP_OPENCLAW=false
+REPO_URL="https://github.com/builderz-labs/mission-control.git"
+INSTALL_DIR="${MC_INSTALL_DIR:-$(pwd)/mission-control}"
+
+# ── Parse arguments ───────────────────────────────────────────────────────────
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --docker)       DEPLOY_MODE="docker"; shift ;;
+    --local)        DEPLOY_MODE="local"; shift ;;
+    --port)         MC_PORT="$2"; shift 2 ;;
+    --data-dir)     MC_DATA_DIR="$2"; shift 2 ;;
+    --skip-openclaw) SKIP_OPENCLAW=true; shift ;;
+    --dir)          INSTALL_DIR="$2"; shift 2 ;;
+    -h|--help)
+      echo "Usage: install.sh [--docker|--local] [--port PORT] [--data-dir DIR] [--dir INSTALL_DIR] [--skip-openclaw]"
+      exit 0 ;;
+    *) echo "Unknown option: $1"; exit 1 ;;
+  esac
+done
+
+# ── Helpers ───────────────────────────────────────────────────────────────────
+info()  { echo -e "\033[1;34m[MC]\033[0m $*"; }
+ok()    { echo -e "\033[1;32m[OK]\033[0m $*"; }
+warn()  { echo -e "\033[1;33m[!!]\033[0m $*"; }
+err()   { echo -e "\033[1;31m[ERR]\033[0m $*" >&2; }
+die()   { err "$*"; exit 1; }
+
+command_exists() { command -v "$1" &>/dev/null; }
+
+detect_os() {
+  local os arch
+  os="$(uname -s)"
+  arch="$(uname -m)"
+
+  case "$os" in
+    Linux)  OS="linux" ;;
+    Darwin) OS="darwin" ;;
+    *)      die "Unsupported OS: $os" ;;
+  esac
+
+  case "$arch" in
+    x86_64|amd64)  ARCH="x64" ;;
+    aarch64|arm64) ARCH="arm64" ;;
+    *)             die "Unsupported architecture: $arch" ;;
+  esac
+
+  ok "Detected $OS/$ARCH"
+}
+
+check_prerequisites() {
+  local has_docker=false has_node=false
+
+  if command_exists docker && docker info &>/dev/null 2>&1; then
+    has_docker=true
+    ok "Docker available ($(docker --version | head -1))"
+  fi
+
+  if command_exists node; then
+    local node_major
+    node_major=$(node -v | sed 's/v//' | cut -d. -f1)
+    if [[ "$node_major" -ge 20 ]]; then
+      has_node=true
+      ok "Node.js $(node -v) available"
+    else
+      warn "Node.js $(node -v) found but v20+ required"
+    fi
+  fi
+
+  if ! $has_docker && ! $has_node; then
+    die "Either Docker or Node.js 20+ is required. Install one and retry."
+  fi
+
+  # Auto-select deploy mode if not specified
+  if [[ -z "$DEPLOY_MODE" ]]; then
+    if $has_docker; then
+      DEPLOY_MODE="docker"
+      info "Auto-selected Docker deployment (use --local to override)"
+    else
+      DEPLOY_MODE="local"
+      info "Auto-selected local deployment (Docker not available)"
+    fi
+  fi
+
+  # Validate chosen mode
+  if [[ "$DEPLOY_MODE" == "docker" ]] && ! $has_docker; then
+    die "Docker deployment requested but Docker is not available"
+  fi
+  if [[ "$DEPLOY_MODE" == "local" ]] && ! $has_node; then
+    die "Local deployment requested but Node.js 20+ is not available"
+  fi
+  if [[ "$DEPLOY_MODE" == "local" ]] && ! command_exists pnpm; then
+    info "Installing pnpm via corepack..."
+    corepack enable && corepack prepare pnpm@latest --activate
+    ok "pnpm installed"
+  fi
+}
+
+# ── Clone or update repo ─────────────────────────────────────────────────────
+fetch_source() {
+  if [[ -d "$INSTALL_DIR/.git" ]]; then
+    info "Updating existing installation at $INSTALL_DIR..."
+    cd "$INSTALL_DIR"
+    git fetch --tags
+    local latest_tag
+    latest_tag=$(git describe --tags --abbrev=0 origin/main 2>/dev/null || echo "")
+    if [[ -n "$latest_tag" ]]; then
+      git checkout "$latest_tag"
+      ok "Checked out $latest_tag"
+    else
+      git pull origin main
+      ok "Updated to latest main"
+    fi
+  else
+    info "Cloning Mission Control..."
+    if command_exists git; then
+      git clone --depth 1 "$REPO_URL" "$INSTALL_DIR"
+      cd "$INSTALL_DIR"
+      ok "Cloned to $INSTALL_DIR"
+    else
+      die "git is required to clone the repository"
+    fi
+  fi
+}
+
+# ── Generate .env ─────────────────────────────────────────────────────────────
+setup_env() {
+  if [[ -f "$INSTALL_DIR/.env" ]]; then
+    info "Existing .env found — keeping current configuration"
+    return
+  fi
+
+  info "Generating secure .env configuration..."
+  bash "$INSTALL_DIR/scripts/generate-env.sh" "$INSTALL_DIR/.env"
+
+  # Set the port if non-default
+  if [[ "$MC_PORT" != "3000" ]]; then
+    if [[ "$(uname)" == "Darwin" ]]; then
+      sed -i '' "s|^# PORT=3000|PORT=$MC_PORT|" "$INSTALL_DIR/.env"
+    else
+      sed -i "s|^# PORT=3000|PORT=$MC_PORT|" "$INSTALL_DIR/.env"
+    fi
+  fi
+
+  ok "Secure .env generated"
+}
+
+# ── Docker deployment ─────────────────────────────────────────────────────────
+deploy_docker() {
+  info "Starting Docker deployment..."
+
+  export MC_PORT
+  docker compose up -d --build
+
+  # Wait for healthy
+  info "Waiting for Mission Control to become healthy..."
+  local retries=30
+  while [[ $retries -gt 0 ]]; do
+    if docker compose ps --format json 2>/dev/null | grep -q '"Health":"healthy"'; then
+      break
+    fi
+    # Fallback: try HTTP check
+    if curl -sf "http://localhost:$MC_PORT/login" &>/dev/null; then
+      break
+    fi
+    sleep 2
+    ((retries--))
+  done
+
+  if [[ $retries -eq 0 ]]; then
+    warn "Timeout waiting for health check — container may still be starting"
+    docker compose logs --tail 20
+  else
+    ok "Mission Control is running in Docker"
+  fi
+}
+
+# ── Local deployment ──────────────────────────────────────────────────────────
+deploy_local() {
+  info "Starting local deployment..."
+
+  cd "$INSTALL_DIR"
+  pnpm install --frozen-lockfile 2>/dev/null || pnpm install
+  ok "Dependencies installed"
+
+  info "Building Mission Control..."
+  pnpm build
+  ok "Build complete"
+
+  # Create systemd service on Linux if systemctl is available
+  if [[ "$OS" == "linux" ]] && command_exists systemctl; then
+    setup_systemd
+  fi
+
+  info "Starting Mission Control..."
+  PORT="$MC_PORT" nohup pnpm start > "$INSTALL_DIR/.data/mc.log" 2>&1 &
+  local pid=$!
+  echo "$pid" > "$INSTALL_DIR/.data/mc.pid"
+
+  sleep 3
+  if kill -0 "$pid" 2>/dev/null; then
+    ok "Mission Control running (PID $pid)"
+  else
+    err "Failed to start. Check logs: $INSTALL_DIR/.data/mc.log"
+    exit 1
+  fi
+}
+
+# ── Systemd service ──────────────────────────────────────────────────────────
+setup_systemd() {
+  local service_file="/etc/systemd/system/mission-control.service"
+  if [[ -f "$service_file" ]]; then
+    info "Systemd service already exists"
+    return
+  fi
+
+  info "Creating systemd service..."
+  local user
+  user="$(whoami)"
+  local node_path
+  node_path="$(which node)"
+
+  cat > /tmp/mission-control.service <<UNIT
+[Unit]
+Description=Mission Control - OpenClaw Agent Dashboard
+After=network.target
+
+[Service]
+Type=simple
+User=$user
+WorkingDirectory=$INSTALL_DIR
+ExecStart=$node_path $INSTALL_DIR/.next/standalone/server.js
+Restart=on-failure
+RestartSec=5
+Environment=NODE_ENV=production
+Environment=PORT=$MC_PORT
+EnvironmentFile=$INSTALL_DIR/.env
+
+[Install]
+WantedBy=multi-user.target
+UNIT
+
+  if [[ "$(id -u)" -eq 0 ]]; then
+    mv /tmp/mission-control.service "$service_file"
+    systemctl daemon-reload
+    systemctl enable mission-control
+    ok "Systemd service installed and enabled"
+  else
+    info "Run as root to install systemd service:"
+    info "  sudo mv /tmp/mission-control.service $service_file"
+    info "  sudo systemctl daemon-reload && sudo systemctl enable --now mission-control"
+  fi
+}
+
+# ── OpenClaw fleet check ─────────────────────────────────────────────────────
+check_openclaw() {
+  if $SKIP_OPENCLAW; then
+    info "Skipping OpenClaw checks (--skip-openclaw)"
+    return
+  fi
+
+  echo ""
+  info "=== OpenClaw Fleet Check ==="
+
+  # Check if openclaw binary exists
+  if command_exists openclaw; then
+    local oc_version
+    oc_version="$(openclaw --version 2>/dev/null || echo 'unknown')"
+    ok "OpenClaw binary found: $oc_version"
+  elif command_exists clawdbot; then
+    local cb_version
+    cb_version="$(clawdbot --version 2>/dev/null || echo 'unknown')"
+    ok "ClawdBot binary found: $cb_version (legacy)"
+    warn "Consider upgrading to openclaw CLI"
+  else
+    info "OpenClaw CLI not found — install it to enable agent orchestration"
+    info "  See: https://github.com/builderz-labs/openclaw"
+    return
+  fi
+
+  # Check OpenClaw home directory
+  local oc_home="${OPENCLAW_HOME:-$HOME/.openclaw}"
+  if [[ -d "$oc_home" ]]; then
+    ok "OpenClaw home: $oc_home"
+
+    # Check config
+    local oc_config="$oc_home/openclaw.json"
+    if [[ -f "$oc_config" ]]; then
+      ok "Config found: $oc_config"
+    else
+      warn "No openclaw.json found at $oc_config"
+      info "Mission Control will create a default config on first gateway connection"
+    fi
+
+    # Check for stale PID files
+    local stale_count=0
+    for pidfile in "$oc_home"/*.pid "$oc_home"/pids/*.pid; do
+      [[ -f "$pidfile" ]] || continue
+      local pid
+      pid="$(cat "$pidfile" 2>/dev/null)" || continue
+      if ! kill -0 "$pid" 2>/dev/null; then
+        rm -f "$pidfile"
+        ((stale_count++))
+      fi
+    done
+    if [[ $stale_count -gt 0 ]]; then
+      ok "Cleaned $stale_count stale PID file(s)"
+    fi
+
+    # Check logs directory size
+    local logs_dir="$oc_home/logs"
+    if [[ -d "$logs_dir" ]]; then
+      local logs_size
+      if [[ "$(uname)" == "Darwin" ]]; then
+        logs_size="$(du -sh "$logs_dir" 2>/dev/null | cut -f1)"
+      else
+        logs_size="$(du -sh "$logs_dir" 2>/dev/null | cut -f1)"
+      fi
+      info "Logs directory: $logs_size ($logs_dir)"
+
+      # Clean old logs (> 30 days)
+      local old_logs
+      old_logs=$(find "$logs_dir" -name "*.log" -mtime +30 2>/dev/null | wc -l | tr -d ' ')
+      if [[ "$old_logs" -gt 0 ]]; then
+        find "$logs_dir" -name "*.log" -mtime +30 -delete 2>/dev/null || true
+        ok "Cleaned $old_logs log file(s) older than 30 days"
+      fi
+    fi
+
+    # Check workspace directory
+    local workspace="$oc_home/workspace"
+    if [[ -d "$workspace" ]]; then
+      local agent_count
+      agent_count=$(find "$workspace" -maxdepth 1 -type d 2>/dev/null | wc -l | tr -d ' ')
+      ((agent_count--)) # subtract the workspace dir itself
+      info "Workspace: $agent_count agent workspace(s) in $workspace"
+    fi
+  else
+    info "OpenClaw home not found at $oc_home"
+    info "Set OPENCLAW_HOME in .env to point to your OpenClaw state directory"
+  fi
+
+  # Check gateway port
+  local gw_host="${OPENCLAW_GATEWAY_HOST:-127.0.0.1}"
+  local gw_port="${OPENCLAW_GATEWAY_PORT:-18789}"
+  if nc -z "$gw_host" "$gw_port" 2>/dev/null || (echo > "/dev/tcp/$gw_host/$gw_port") 2>/dev/null; then
+    ok "Gateway reachable at $gw_host:$gw_port"
+  else
+    info "Gateway not reachable at $gw_host:$gw_port (start it with: openclaw gateway start)"
+  fi
+}
+
+# ── Main ──────────────────────────────────────────────────────────────────────
+main() {
+  echo ""
+  echo "  ╔══════════════════════════════════════╗"
+  echo "  ║   Mission Control Installer          ║"
+  echo "  ║   The mothership for your fleet      ║"
+  echo "  ╚══════════════════════════════════════╝"
+  echo ""
+
+  detect_os
+  check_prerequisites
+
+  # If running from within an existing clone, use current dir
+  if [[ -f "$(pwd)/package.json" ]] && grep -q '"mission-control"' "$(pwd)/package.json" 2>/dev/null; then
+    INSTALL_DIR="$(pwd)"
+    info "Running from existing clone at $INSTALL_DIR"
+  else
+    fetch_source
+  fi
+
+  # Ensure data directory exists
+  mkdir -p "$INSTALL_DIR/.data"
+
+  setup_env
+
+  case "$DEPLOY_MODE" in
+    docker) deploy_docker ;;
+    local)  deploy_local ;;
+    *)      die "Unknown deploy mode: $DEPLOY_MODE" ;;
+  esac
+
+  check_openclaw
+
+  # ── Print summary ──
+  echo ""
+  echo "  ╔══════════════════════════════════════╗"
+  echo "  ║   Installation Complete              ║"
+  echo "  ╚══════════════════════════════════════╝"
+  echo ""
+  info "Dashboard:  http://localhost:$MC_PORT"
+  info "Mode:       $DEPLOY_MODE"
+  info "Data:       $INSTALL_DIR/.data/"
+  echo ""
+  info "Credentials are in: $INSTALL_DIR/.env"
+  echo ""
+
+  if [[ "$DEPLOY_MODE" == "docker" ]]; then
+    info "Manage:"
+    info "  docker compose logs -f        # view logs"
+    info "  docker compose restart         # restart"
+    info "  docker compose down            # stop"
+  else
+    info "Manage:"
+    info "  cat $INSTALL_DIR/.data/mc.log  # view logs"
+    info "  kill \$(cat $INSTALL_DIR/.data/mc.pid)  # stop"
+  fi
+
+  echo ""
+}
+
+main "$@"

next.config.js

@@ -1,6 +1,9 @@
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   output: 'standalone',
+  outputFileTracingExcludes: {
+    '/*': ['./.data/**/*'],
+  },
   turbopack: {},
   // Transpile ESM-only packages so they resolve correctly in all environments
   transpilePackages: ['react-markdown', 'remark-gfm'],
@@ -11,12 +14,13 @@ const nextConfig = {
 
     const csp = [
       `default-src 'self'`,
-      `script-src 'self' 'unsafe-inline'${googleEnabled ? ' https://accounts.google.com' : ''}`,
+      `script-src 'self' 'unsafe-inline' blob:${googleEnabled ? ' https://accounts.google.com' : ''}`,
       `style-src 'self' 'unsafe-inline'`,
-      `connect-src 'self' ws: wss: http://127.0.0.1:* http://localhost:*`,
+      `connect-src 'self' ws: wss: http://127.0.0.1:* http://localhost:* https://cdn.jsdelivr.net`,
       `img-src 'self' data: blob:${googleEnabled ? ' https://*.googleusercontent.com https://lh3.googleusercontent.com' : ''}`,
       `font-src 'self' data:`,
       `frame-src 'self'${googleEnabled ? ' https://accounts.google.com' : ''}`,
+      `worker-src 'self' blob:`,
     ].join('; ')
 
     return [

openclaw_hardening_guide.md

@@ -0,0 +1,124 @@
+# OpenClaw Gateway Security and Hardening Best Practices
+
+This document consolidates security and hardening best practices for the OpenClaw Gateway, drawing from official documentation and recent security advisories.
+
+## 1. Core Security Model & Deployment Considerations
+
+OpenClaw is designed primarily for a **personal assistant deployment model**, assuming one trusted operator per gateway. It is **not intended for multi-tenant environments** with untrusted or adversarial users. For such scenarios, run separate gateway instances for each trust boundary.
+
+## 2. Hardened Baseline Configuration
+
+For a secure starting point, consider the following configuration, which keeps the Gateway local, isolates DMs, and disables potentially dangerous tools by default:
+
+```json
+{
+  "gateway": {
+    "mode": "local",
+    "bind": "loopback",
+    "auth": {
+      "mode": "token",
+      "token": "replace-with-long-random-token"
+    }
+  },
+  "session": {
+    "dmScope": "per-channel-peer"
+  },
+  "tools": {
+    "profile": "messaging",
+    "deny": ["group:automation", "group:runtime", "group:fs", "sessions_spawn", "sessions_send"],
+    "fs": {
+      "workspaceOnly": true
+    },
+    "exec": {
+      "security": "deny",
+      "ask": "always"
+    }
+  },
+  "elevated": {
+    "enabled": false
+  },
+  "channels": {
+    "whatsapp": {
+      "dmPolicy": "pairing",
+      "groups": {
+        "*": {
+          "requireMention": true
+        }
+      }
+    }
+  }
+}
+```
+
+## 3. Key Hardening Recommendations
+
+### 3.1. Network Security
+
+*   **Do Not Expose Publicly:** Never expose the OpenClaw gateway directly to the public internet. It typically runs on port 18789. Publicly exposed gateways are easily discoverable.
+*   **Bind to Localhost:** Configure the gateway to listen only for connections from the local machine by binding it to `127.0.0.1` (localhost) or `loopback` in your `openclaw.json`.
+*   **Firewall Rules:** Implement strict firewall rules to block all unnecessary inbound and outbound connections, allowing only essential traffic.
+*   **Secure Remote Access:** For remote access, use secure methods like SSH tunneling or a VPN (e.g., Tailscale) instead of direct exposure.
+*   **Docker Considerations:** If using Docker, be aware that it can bypass UFW rules. Configure rules in the `DOCKER-USER` chain to control exposure.
+
+### 3.2. Authentication and Access Control
+
+*   **Enable Gateway Authentication:** Always enable gateway authentication and use a strong, randomly generated authentication token. Generate a token with `openclaw doctor --generate-gateway-token`.
+*   **Manage Access Tokens:** Treat your gateway authentication token like a password. Rotate it regularly and store it securely (e.g., as an environment variable, not in plaintext config files).
+*   **Restrict Chat and Messaging:** If integrating with chat platforms, use allowlists to specify which user IDs can interact with your agent.
+*   **Direct Messages (DMs) and Groups:**
+    *   For DMs, use the default `pairing` policy (`dmPolicy: "pairing"`) to require approval for unknown senders.
+    *   For group chats, require the bot to be explicitly mentioned to respond (`requireMention: true`).
+    *   Isolate DM sessions using `session.dmScope: "per-channel-peer"` to prevent context leakage.
+
+### 3.3. Isolation and Sandboxing
+
+*   **Run in a Docker Container:** The recommended approach is to run OpenClaw within a Docker container for process isolation, filesystem restrictions, and network controls.
+*   **Harden Docker Configuration:**
+    *   Do not mount your home directory or the Docker socket.
+    *   Use read-only filesystems where possible.
+    *   Drop unnecessary Linux capabilities.
+    *   Run the container as a non-root user.
+*   **Enable Sandbox Mode:** For tasks that execute code, enable OpenClaw's sandbox mode to prevent malicious or compromised prompts from accessing your system or network. Configure this in `agents.defaults.sandbox`.
+
+### 3.4. Credential and Secret Management
+
+*   **Avoid Plaintext Storage:** Never store API keys, tokens, or other sensitive information in plaintext configuration files.
+*   **Use Secure Storage Mechanisms:** Load credentials from environment variables or use dedicated secrets management solutions (e.g., Hashicorp Vault, AWS Secrets Manager).
+
+### 3.5. File System Permissions
+
+*   Ensure your configuration and state files are private.
+*   `~/.openclaw/openclaw.json` should have permissions `600` (user read/write only).
+*   The `~/.openclaw` directory should have permissions `700` (user access only).
+*   `~/.openclaw/credentials/` and its contents should also be `600`.
+
+### 3.6. Tool and Skill Security
+
+*   **Principle of Least Privilege:** Only grant the agent the permissions and tools it absolutely needs.
+*   **Audit Third-Party Skills:** Be extremely cautious with third-party skills, as they can contain malicious code. Research has shown a significant number of skills on marketplaces may be malicious.
+
+### 3.7. Prompt Injection Mitigation
+
+*   Lock down who can message the bot using DM pairing and allowlists.
+*   Require mentions in group chats.
+*   Run agents that process untrusted content in a sandbox with a minimal toolset.
+*   Use the latest, most powerful models, as they are generally more resistant to prompt injection.
+
+### 3.8. Monitoring and Incident Response
+
+*   **Enable Logging:** Turn on comprehensive logging for all agent activities (command executions, API calls, file access). Store logs in a secure, separate location where the agent cannot modify them.
+*   **Log Redaction:** Keep log redaction enabled (`logging.redactSensitive: "tools"`) to prevent sensitive information from leaking into logs.
+*   **Incident Response Plan:** Have a plan for suspected compromises, including stopping the gateway and revoking API keys.
+
+## 4. Staying Updated and Aware of Vulnerabilities
+
+The OpenClaw project is under active development, and new vulnerabilities are discovered.
+
+*   **Keep Software Updated:** Regularly update OpenClaw and its dependencies to ensure you have the latest security patches.
+*   **Be Aware of Recent Threats:** Stay informed about new vulnerabilities. Notable past vulnerabilities include:
+    *   **ClawJacked (High Severity):** Allowed malicious websites to hijack locally running OpenClaw instances via WebSocket connections and brute-force password. Patched in v2026.2.25.
+    *   **Remote Code Execution (Critical - CVE-2026-25253):** A malicious link could trick the Control UI into sending an auth token to an attacker-controlled server, leading to RCE. Patched in v2026.1.29.
+    *   **Authentication Bypass (High Severity - CVE-2026-26327):** Allowed attackers on the same local network to intercept credentials by spoofing a legitimate gateway.
+    *   **Other Vulnerabilities:** Server-Side Request Forgery (SSRF - CVE-2026-26322), missing webhook authentication (CVE-2026-26319), and path traversal (CVE-2026-26329).
+
+By diligently applying these practices, you can significantly enhance the security posture of your OpenClaw Gateway deployment.

package.json

@@ -1,28 +1,33 @@
 {
   "name": "mission-control",
-  "version": "1.3.0",
+  "version": "2.0.0",
   "description": "OpenClaw Mission Control — open-source agent orchestration dashboard",
   "scripts": {
-    "dev": "next dev --hostname 127.0.0.1 --port ${PORT:-3000}",
-    "build": "next build",
-    "start": "next start --hostname 0.0.0.0 --port ${PORT:-3000}",
-    "lint": "eslint .",
-    "typecheck": "tsc --noEmit",
-    "test": "vitest run",
+    "verify:node": "node scripts/check-node-version.mjs",
+    "dev": "pnpm run verify:node && next dev --hostname 127.0.0.1 --port ${PORT:-3000}",
+    "build": "pnpm run verify:node && next build",
+    "start": "pnpm run verify:node && next start --hostname 0.0.0.0 --port ${PORT:-3000}",
+    "start:standalone": "pnpm run verify:node && bash scripts/start-standalone.sh",
+    "deploy:standalone": "pnpm run verify:node && bash scripts/deploy-standalone.sh",
+    "lint": "pnpm run verify:node && eslint .",
+    "typecheck": "pnpm run verify:node && tsc --noEmit",
+    "test": "pnpm run verify:node && vitest run",
     "test:watch": "vitest",
     "test:ui": "vitest --ui",
-    "test:e2e": "playwright test",
-    "test:e2e:openclaw:local": "E2E_GATEWAY_EXPECTED=0 playwright test -c playwright.openclaw.local.config.ts",
-    "test:e2e:openclaw:gateway": "E2E_GATEWAY_EXPECTED=1 playwright test -c playwright.openclaw.gateway.config.ts",
+    "test:e2e": "pnpm run verify:node && playwright test",
+    "test:e2e:openclaw:local": "pnpm run verify:node && E2E_GATEWAY_EXPECTED=0 playwright test -c playwright.openclaw.local.config.ts",
+    "test:e2e:openclaw:gateway": "pnpm run verify:node && E2E_GATEWAY_EXPECTED=1 playwright test -c playwright.openclaw.gateway.config.ts",
     "test:e2e:openclaw": "pnpm test:e2e:openclaw:local && pnpm test:e2e:openclaw:gateway",
     "test:all": "pnpm lint && pnpm typecheck && pnpm test && pnpm build && pnpm test:e2e",
     "quality:gate": "pnpm test:all"
   },
   "dependencies": {
+    "@radix-ui/react-slot": "^1.2.4",
     "@scalar/api-reference-react": "^0.8.66",
     "@xyflow/react": "^12.10.0",
     "autoprefixer": "^10.4.20",
     "better-sqlite3": "^12.6.2",
+    "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "eslint": "^9.18.0",
     "eslint-config-next": "^16.1.6",
@@ -34,6 +39,7 @@
     "react-dom": "^19.0.1",
     "react-markdown": "^10.1.0",
     "reactflow": "^11.11.4",
+    "reagraph": "^4.30.8",
     "recharts": "^3.7.0",
     "remark-gfm": "^4.0.1",
     "tailwind-merge": "^3.4.0",
@@ -60,7 +66,7 @@
     "vitest": "^2.1.5"
   },
   "engines": {
-    "node": ">=20"
+    "node": ">=22 <23"
   },
   "keywords": [
     "openclaw",

playwright.config.ts

@@ -18,14 +18,13 @@ export default defineConfig({
     { name: 'chromium', use: { ...devices['Desktop Chrome'] } }
   ],
   webServer: {
-    command: 'node .next/standalone/server.js',
+    command: 'node scripts/e2e-openclaw/start-e2e-server.mjs --mode=local',
     url: 'http://127.0.0.1:3005',
     reuseExistingServer: true,
     timeout: 120_000,
     env: {
       ...process.env,
-      HOSTNAME: process.env.HOSTNAME || '127.0.0.1',
-      PORT: process.env.PORT || '3005',
+      MISSION_CONTROL_TEST_MODE: process.env.MISSION_CONTROL_TEST_MODE || '1',
       MC_DISABLE_RATE_LIMIT: process.env.MC_DISABLE_RATE_LIMIT || '1',
       MC_WORKLOAD_QUEUE_DEPTH_THROTTLE: process.env.MC_WORKLOAD_QUEUE_DEPTH_THROTTLE || '1000',
       MC_WORKLOAD_QUEUE_DEPTH_SHED: process.env.MC_WORKLOAD_QUEUE_DEPTH_SHED || '2000',
@@ -34,7 +33,6 @@ export default defineConfig({
       API_KEY: process.env.API_KEY || 'test-api-key-e2e-12345',
       AUTH_USER: process.env.AUTH_USER || 'testadmin',
       AUTH_PASS: process.env.AUTH_PASS || 'testpass1234!',
-      OPENCLAW_MEMORY_DIR: process.env.OPENCLAW_MEMORY_DIR || '.data/e2e-memory',
     },
   }
 })

pnpm-lock.yaml

@@ -8,6 +8,9 @@ importers:
 
   .:
     dependencies:
+      '@radix-ui/react-slot':
+        specifier: ^1.2.4
+        version: 1.2.4(@types/react@19.2.13)(react@19.2.4)
       '@scalar/api-reference-react':
         specifier: ^0.8.66
         version: 0.8.66(react@19.2.4)(tailwindcss@3.4.19(yaml@2.8.2))(typescript@5.9.3)
@@ -20,6 +23,9 @@ importers:
       better-sqlite3:
         specifier: ^12.6.2
         version: 12.6.2
+      class-variance-authority:
+        specifier: ^0.7.1
+        version: 0.7.1
       clsx:
         specifier: ^2.1.1
         version: 2.1.1
@@ -53,6 +59,9 @@ importers:
       reactflow:
         specifier: ^11.11.4
         version: 11.11.4(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+      reagraph:
+        specifier: ^4.30.8
+        version: 4.30.8(@types/react@19.2.13)(@types/three@0.183.1)(graphology-types@0.24.8)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(use-sync-external-store@1.6.0(react@19.2.4))
       recharts:
         specifier: ^3.7.0
         version: 3.7.0(@types/react@19.2.13)(react-dom@19.2.4(react@19.2.4))(react-is@17.0.2)(react@19.2.4)(redux@5.0.1)
@@ -306,6 +315,9 @@ packages:
     resolution: {integrity: sha512-Vd/9EVDiu6PPJt9yAh6roZP6El1xHrdvIVGjyBsHR0RYwNHgL7FJPyIIW4fANJNG6FtyZfvlRPpFI4ZM/lubvw==}
     engines: {node: '>=18'}
 
+  '@dimforge/rapier3d-compat@0.12.0':
+    resolution: {integrity: sha512-uekIGetywIgopfD97oDL5PfeezkFpNhwlzlaEYNOA0N6ghdsOvh/HYjSMek5Q2O1PYvRSDFcqFVJl4r4ZBwOow==}
+
   '@emnapi/core@1.8.1':
     resolution: {integrity: sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==}
 
@@ -736,6 +748,14 @@ packages:
   '@marijn/find-cluster-break@1.0.2':
     resolution: {integrity: sha512-l0h88YhZFyKdXIFNfSWpyjStDjGHwZ/U7iobcK1cQQD8sejsONdQtTVU+1wVN1PBw40PiiHB1vA5S7VTfQiP9g==}
 
+  '@mediapipe/tasks-vision@0.10.17':
+    resolution: {integrity: sha512-CZWV/q6TTe8ta61cZXjfnnHsfWIdFhms03M9T7Cnd5y2mdpylJM0rF1qRq+wsQVRMLz1OYPVEBU9ph2Bx8cxrg==}
+
+  '@monogrid/gainmap-js@3.4.0':
+    resolution: {integrity: sha512-2Z0FATFHaoYJ8b+Y4y4Hgfn3FRFwuU5zRrk+9dFWp4uGAdHGqVEdP7HP+gLA3X469KXHmfupJaUbKo1b/aDKIg==}
+    peerDependencies:
+      three: '>= 0.159.0'
+
   '@napi-rs/wasm-runtime@0.2.12':
     resolution: {integrity: sha512-ZVWUcfwY4E/yPitQJl481FjFo3K22D6qF0DuFH6Y/nbnE11GY5uguDxZMGXPQ8WQ0128MXQD7TnfHyK4oWoIJQ==}
 
@@ -828,6 +848,88 @@ packages:
     engines: {node: '>=18'}
     hasBin: true
 
+  '@radix-ui/react-compose-refs@1.1.2':
+    resolution: {integrity: sha512-z4eqJvfiNnFMHIIvXP3CY57y2WJs5g2v3X0zm9mEJkrkNv4rDxu+sg9Jh8EkXyeqBkB7SOcboo9dMVqhyrACIg==}
+    peerDependencies:
+      '@types/react': '*'
+      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+    peerDependenciesMeta:
+      '@types/react':
+        optional: true
+
+  '@radix-ui/react-slot@1.2.4':
+    resolution: {integrity: sha512-Jl+bCv8HxKnlTLVrcDE8zTMJ09R9/ukw4qBs/oZClOfoQk/cOTbDn+NceXfV7j09YPVQUryJPHurafcSg6EVKA==}
+    peerDependencies:
+      '@types/react': '*'
+      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+    peerDependenciesMeta:
+      '@types/react':
+        optional: true
+
+  '@react-spring/animated@10.0.3':
+    resolution: {integrity: sha512-7MrxADV3vaUADn2V9iYhaIL6iOWRx9nCJjYrsk2AHD2kwPr6fg7Pt0v+deX5RnCDmCKNnD6W5fasiyM8D+wzJQ==}
+    peerDependencies:
+      react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
+
+  '@react-spring/core@10.0.3':
+    resolution: {integrity: sha512-D4DwNO68oohDf/0HG2G0Uragzb9IA1oXblxrd6MZAcBcUQG2EHUWXewjdECMPLNmQvlYVyyBRH6gPxXM5DX7DQ==}
+    peerDependencies:
+      react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
+
+  '@react-spring/rafz@10.0.3':
+    resolution: {integrity: sha512-Ri2/xqt8OnQ2iFKkxKMSF4Nqv0LSWnxXT4jXFzBDsHgeeH/cHxTLupAWUwmV9hAGgmEhBmh5aONtj3J6R/18wg==}
+
+  '@react-spring/shared@10.0.3':
+    resolution: {integrity: sha512-geCal66nrkaQzUVhPkGomylo+Jpd5VPK8tPMEDevQEfNSWAQP15swHm+MCRG4wVQrQlTi9lOzKzpRoTL3CA84Q==}
+    peerDependencies:
+      react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
+
+  '@react-spring/three@10.0.3':
+    resolution: {integrity: sha512-hZP7ChF/EwnWn+H2xuzAsRRfQdhquoBTI1HKgO6X9V8tcVCuR69qJmsA9N00CA4Nzx0bo/zwBtqONmi55Ffm5w==}
+    peerDependencies:
+      '@react-three/fiber': '>=6.0'
+      react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
+      three: '>=0.126'
+
+  '@react-spring/types@10.0.3':
+    resolution: {integrity: sha512-H5Ixkd2OuSIgHtxuHLTt7aJYfhMXKXT/rK32HPD/kSrOB6q6ooeiWAXkBy7L8F3ZxdkBb9ini9zP9UwnEFzWgQ==}
+
+  '@react-three/drei@10.7.7':
+    resolution: {integrity: sha512-ff+J5iloR0k4tC++QtD/j9u3w5fzfgFAWDtAGQah9pF2B1YgOq/5JxqY0/aVoQG5r3xSZz0cv5tk2YuBob4xEQ==}
+    peerDependencies:
+      '@react-three/fiber': ^9.0.0
+      react: ^19
+      react-dom: ^19
+      three: '>=0.159'
+    peerDependenciesMeta:
+      react-dom:
+        optional: true
+
+  '@react-three/fiber@9.5.0':
+    resolution: {integrity: sha512-FiUzfYW4wB1+PpmsE47UM+mCads7j2+giRBltfwH7SNhah95rqJs3ltEs9V3pP8rYdS0QlNne+9Aj8dS/SiaIA==}
+    peerDependencies:
+      expo: '>=43.0'
+      expo-asset: '>=8.4'
+      expo-file-system: '>=11.0'
+      expo-gl: '>=11.0'
+      react: '>=19 <19.3'
+      react-dom: '>=19 <19.3'
+      react-native: '>=0.78'
+      three: '>=0.156'
+    peerDependenciesMeta:
+      expo:
+        optional: true
+      expo-asset:
+        optional: true
+      expo-file-system:
+        optional: true
+      expo-gl:
+        optional: true
+      react-dom:
+        optional: true
+      react-native:
+        optional: true
+
   '@reactflow/background@11.3.14':
     resolution: {integrity: sha512-Gewd7blEVT5Lh6jqrvOgd4G6Qk17eGKQfsDXgyRSqM+CTwDqRldG2LsWN4sNeno6sbqVIC2fZ+rAUBFA9ZEUDA==}
     peerDependencies:
@@ -1175,6 +1277,9 @@ packages:
       '@types/react-dom':
         optional: true
 
+  '@tweenjs/tween.js@23.1.3':
+    resolution: {integrity: sha512-vJmvvwFxYuGnF2axRtPYocag6Clbb5YS7kLL+SO/TeVFzHqDIWrNKYtcsPMibjDx9O+bu+psAy9NKfWklassUA==}
+
   '@tybys/wasm-util@0.10.1':
     resolution: {integrity: sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==}
 
@@ -1292,6 +1397,9 @@ packages:
   '@types/debug@4.1.12':
     resolution: {integrity: sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==}
 
+  '@types/draco3d@1.4.10':
+    resolution: {integrity: sha512-AX22jp8Y7wwaBgAixaSvkoG4M/+PlAcm3Qs4OW8yT9DM4xUpWKeFhLueTAyZF39pviAdcDdeJoACapiAceqNcw==}
+
   '@types/estree-jsx@1.0.5':
     resolution: {integrity: sha512-52CcUVNFyfb1A2ALocQw/Dd1BQFNmSdkuC3BkZ6iqhdMfQz7JWOFRuJFloOzjk+6WijU56m9oKXFAXc7o3Towg==}
 
@@ -1322,14 +1430,28 @@ packages:
   '@types/node@22.19.9':
     resolution: {integrity: sha512-PD03/U8g1F9T9MI+1OBisaIARhSzeidsUjQaf51fOxrfjeiKN9bLVO06lHuHYjxdnqLWJijJHfqXPSJri2EM2A==}
 
+  '@types/offscreencanvas@2019.7.3':
+    resolution: {integrity: sha512-ieXiYmgSRXUDeOntE1InxjWyvEelZGP63M+cGuquuRLuIKKT1osnkXjxev9B7d1nXSug5vpunx+gNlbVxMlC9A==}
+
   '@types/react-dom@19.2.3':
     resolution: {integrity: sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==}
     peerDependencies:
       '@types/react': ^19.2.0
 
+  '@types/react-reconciler@0.28.9':
+    resolution: {integrity: sha512-HHM3nxyUZ3zAylX8ZEyrDNd2XZOnQ0D5XfunJF5FLQnZbHHYq4UWvW1QfelQNXv1ICNkwYhfxjwfnqivYB6bFg==}
+    peerDependencies:
+      '@types/react': '*'
+
   '@types/react@19.2.13':
     resolution: {integrity: sha512-KkiJeU6VbYbUOp5ITMIc7kBfqlYkKA5KhEHVrGMmUUMt7NeaZg65ojdPk+FtNrBAOXNVM5QM72jnADjM+XVRAQ==}
 
+  '@types/stats.js@0.17.4':
+    resolution: {integrity: sha512-jIBvWWShCvlBqBNIZt0KAshWpvSjhkwkEu4ZUcASoAvhmrgAUI2t1dXrjSL4xXVLB4FznPrIsX3nKXFl/Dt4vA==}
+
+  '@types/three@0.183.1':
+    resolution: {integrity: sha512-f2Pu5Hrepfgavttdye3PsH5RWyY/AvdZQwIVhrc4uNtvF7nOWJacQKcoVJn0S4f0yYbmAE6AR+ve7xDcuYtMGw==}
+
   '@types/unist@2.0.11':
     resolution: {integrity: sha512-CmBKiL6NNo/OqgmMn95Fk9Whlp2mtvIv+KNpQKN2F4SjvrEesubTRWGYSg+BnWZOnlCaSTU1sMpsBOzgbYhnsA==}
 
@@ -1345,6 +1467,9 @@ packages:
   '@types/web-bluetooth@0.0.21':
     resolution: {integrity: sha512-oIQLCGWtcFZy2JW77j9k8nHzAOpqMHLQejDA48XXMWH6tjCQHz5RCFz1bzsmROyL6PUm+LLnUiI4BCn221inxA==}
 
+  '@types/webxr@0.5.24':
+    resolution: {integrity: sha512-h8fgEd/DpoS9CBrjEQXR+dIDraopAEfu4wYVNY2tEPwk60stPWhvZMf4Foo5FakuQ7HFZoa8WceaWFervK2Ovg==}
+
   '@types/ws@8.18.1':
     resolution: {integrity: sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg==}
 
@@ -1518,6 +1643,14 @@ packages:
     cpu: [x64]
     os: [win32]
 
+  '@use-gesture/core@10.3.1':
+    resolution: {integrity: sha512-WcINiDt8WjqBdUXye25anHiNxPc0VOrlT8F6LLkU6cycrOGUDyY/yyFmsg3k8i5OLvv25llc0QC45GhR/C8llw==}
+
+  '@use-gesture/react@10.3.1':
+    resolution: {integrity: sha512-Yy19y6O2GJq8f7CHf7L0nxL8bf4PZCPaVOCgJrusOeFHY1LvHgYXnmnXg6N5iwAnbgbZCDjo60SiM6IPJi9C5g==}
+    peerDependencies:
+      react: '>= 16.8.0'
+
   '@vercel/oidc@3.1.0':
     resolution: {integrity: sha512-Fw28YZpRnA3cAHHDlkt7xQHiJ0fcL+NRcIqsocZQUSmbzeIKRpwttJjik5ZGanXP+vlA4SbTg+AbA3bP363l+w==}
     engines: {node: '>= 20'}
@@ -1653,6 +1786,9 @@ packages:
     peerDependencies:
       vue: ^3.5.0
 
+  '@webgpu/types@0.1.69':
+    resolution: {integrity: sha512-RPmm6kgRbI8e98zSD3RVACvnuktIja5+yLgDAkTmxLr90BEwdTXRQWNLF3ETTTyH/8mKhznZuN5AveXYFEsMGQ==}
+
   '@xyflow/react@12.10.0':
     resolution: {integrity: sha512-eOtz3whDMWrB4KWVatIBrKuxECHqip6PfA8fTpaS2RUGVpiEAe+nqDKsLqkViVWxDGreq0lWX71Xth/SPAzXiw==}
     peerDependencies:
@@ -1662,6 +1798,9 @@ packages:
   '@xyflow/system@0.0.74':
     resolution: {integrity: sha512-7v7B/PkiVrkdZzSbL+inGAo6tkR/WQHHG0/jhSvLQToCsfa8YubOGmBYd1s08tpKpihdHDZFwzQZeR69QSBb4Q==}
 
+  '@yomguithereal/helpers@1.1.1':
+    resolution: {integrity: sha512-UYvAq/XCA7xoh1juWDYsq3W0WywOB+pz8cgVnE1b45ZfdMhBvHDrgmSFG3jXeZSr2tMTYLGHFHON+ekG05Jebg==}
+
   acorn-jsx@5.3.2:
     resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
     peerDependencies:
@@ -1823,6 +1962,9 @@ packages:
     resolution: {integrity: sha512-8VYKM3MjCa9WcaSAI3hzwhmyHVlH8tiGFwf0RlTsZPWJ1I5MkzjiudCo4KC4DxOaL/53A5B1sI/IbldNFDbsKA==}
     engines: {node: 20.x || 22.x || 23.x || 24.x || 25.x}
 
+  bidi-js@1.0.3:
+    resolution: {integrity: sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==}
+
   binary-extensions@2.3.0:
     resolution: {integrity: sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==}
     engines: {node: '>=8'}
@@ -1851,6 +1993,9 @@ packages:
   buffer@5.7.1:
     resolution: {integrity: sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==}
 
+  buffer@6.0.3:
+    resolution: {integrity: sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA==}
+
   cac@6.7.14:
     resolution: {integrity: sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ==}
     engines: {node: '>=8'}
@@ -1875,6 +2020,12 @@ packages:
     resolution: {integrity: sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA==}
     engines: {node: '>= 6'}
 
+  camera-controls@3.1.2:
+    resolution: {integrity: sha512-xkxfpG2ECZ6Ww5/9+kf4mfg1VEYAoe9aDSY+IwF0UEs7qEzwy0aVRfs2grImIECs/PoBtWFrh7RXsQkwG922JA==}
+    engines: {node: '>=22.0.0', npm: '>=10.5.1'}
+    peerDependencies:
+      three: '>=0.126.1'
+
   caniuse-lite@1.0.30001769:
     resolution: {integrity: sha512-BCfFL1sHijQlBGWBMuJyhZUhzo7wer5sVj9hqekB/7xn0Ypy+pER/edCYQm4exbXj4WiySGp40P8UuTh6w1srg==}
 
@@ -1916,9 +2067,15 @@ packages:
   chownr@1.1.4:
     resolution: {integrity: sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==}
 
+  class-variance-authority@0.7.1:
+    resolution: {integrity: sha512-Ka+9Trutv7G8M6WT6SeiRWz792K5qEqIGEGzXKhAE6xOWAY6pPH8U+9IY3oCMv6kqTmLsv7Xh/2w2RigkePMsg==}
+
   classcat@5.0.5:
     resolution: {integrity: sha512-JhZUT7JFcQy/EzW605k/ktHtncoo9vnyW/2GspNYwFlN1C/WmjuV/xtS04e9SOkL2sTdw0VAZ2UGCcQ9lR6p6w==}
 
+  classnames@2.5.1:
+    resolution: {integrity: sha512-saHYOzhIQs6wy2sVxTM6bUDsQO4F50V9RQ22qBpEdCW+I+/Wmke2HOl6lS6dTpdxVhb88/I6+Hs+438c3lfUow==}
+
   client-only@0.0.1:
     resolution: {integrity: sha512-IV3Ou0jSMzZrd3pZ48nLkT9DA7Ag1pnPzaiQhpW7c3RbcqqzvzzVu+L8gfqMp/8IM2MQtSiqaCxrrcfu8I8rMA==}
 
@@ -1956,6 +2113,11 @@ packages:
   crelt@1.0.6:
     resolution: {integrity: sha512-VQ2MBenTq1fWZUH9DJNGti7kKv6EeAuYr3cLwxUWhIu1baTaXh4Ib5W2CqHVqib4/MqbYGJqiL3Zb8GJZr3l4g==}
 
+  cross-env@7.0.3:
+    resolution: {integrity: sha512-+/HKd6EgcQCJGh2PSjZuUitQBQynKor4wrFbRg4DtAgS1aWO+gU52xpH7M9ScGgXSYmAVS9bIJ8EzuaGw0oNAw==}
+    engines: {node: '>=10.14', npm: '>=6', yarn: '>=1'}
+    hasBin: true
+
   cross-spawn@7.0.6:
     resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
@@ -1995,6 +2157,9 @@ packages:
     resolution: {integrity: sha512-tdQAmyA18i4J7wprpYq8ClcxZy3SC31QMeByyCFyRt7BVHdREQZ5lpzoe5mFEYZUWe+oq8HBvk9JjpibyEV4Jg==}
     engines: {node: '>=12'}
 
+  d3-binarytree@1.0.2:
+    resolution: {integrity: sha512-cElUNH+sHu95L04m92pG73t2MEJXKu+GeKUN1TJkFsu93E5W8E9Sc3kHEGJKgenGvj19m6upSn2EunvMgMD2Yw==}
+
   d3-color@3.1.0:
     resolution: {integrity: sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA==}
     engines: {node: '>=12'}
@@ -2011,18 +2176,33 @@ packages:
     resolution: {integrity: sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w==}
     engines: {node: '>=12'}
 
+  d3-force-3d@3.0.6:
+    resolution: {integrity: sha512-4tsKHUPLOVkyfEffZo1v6sFHvGFwAIIjt/W8IThbp08DYAsXZck+2pSHEG5W1+gQgEvFLdZkYvmJAbRM2EzMnA==}
+    engines: {node: '>=12'}
+
   d3-format@3.1.2:
     resolution: {integrity: sha512-AJDdYOdnyRDV5b6ArilzCPPwc1ejkHcoyFarqlPqT7zRYjhavcT3uSrqcMvsgh2CgoPbK3RCwyHaVyxYcP2Arg==}
     engines: {node: '>=12'}
 
+  d3-hierarchy@3.1.2:
+    resolution: {integrity: sha512-FX/9frcub54beBdugHjDCdikxThEqjnR93Qt7PvQTOHxyiNCAlvMrHhclk3cD5VeAaq9fxmfRp+CnWw9rEMBuA==}
+    engines: {node: '>=12'}
+
   d3-interpolate@3.0.1:
     resolution: {integrity: sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g==}
     engines: {node: '>=12'}
 
+  d3-octree@1.1.0:
+    resolution: {integrity: sha512-F8gPlqpP+HwRPMO/8uOu5wjH110+6q4cgJvgJT6vlpy3BEaDIKlTZrgHKZSp/i1InRpVfh4puY/kvL6MxK930A==}
+
   d3-path@3.1.0:
     resolution: {integrity: sha512-p3KP5HCf/bvjBSSKuXid6Zqijx7wIfNW+J/maPs+iwR35at5JCbLUT0LzF1cnjbCHWhqzQTIN2Jpe8pRebIEFQ==}
     engines: {node: '>=12'}
 
+  d3-quadtree@3.0.1:
+    resolution: {integrity: sha512-04xDrxQTDTCFwP5H6hRhsRcb9xxv2RzkcsygFzmkSIOJy3PeRJP7sNk3VRIbKXcog561P9oU0/rVH6vDROAgUw==}
+    engines: {node: '>=12'}
+
   d3-scale@4.0.2:
     resolution: {integrity: sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ==}
     engines: {node: '>=12'}
@@ -2135,6 +2315,9 @@ packages:
     resolution: {integrity: sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==}
     engines: {node: '>=6'}
 
+  detect-gpu@5.0.70:
+    resolution: {integrity: sha512-bqerEP1Ese6nt3rFkwPnGbsUF9a4q+gMmpTVVOEzoCyeCc+y7/RvJnQZJx1JwhgQI5Ntg0Kgat8Uu7XpBqnz1w==}
+
   detect-libc@2.1.2:
     resolution: {integrity: sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==}
     engines: {node: '>=8'}
@@ -2158,6 +2341,9 @@ packages:
   dom-accessibility-api@0.6.3:
     resolution: {integrity: sha512-7ZgogeTnjuHbo+ct10G9Ffp0mif17idi0IyWNVA/wcwcm7NPOD/WEHVP3n7n3MhXqxoIYm8d6MuZohYWIZ4T3w==}
 
+  draco3d@1.5.7:
+    resolution: {integrity: sha512-m6WCKt/erDXcw+70IJXnG7M3awwQPAsZvJGX5zY7beBqpELw6RDGkYVU0W43AFxye4pDZ5i2Lbyc/NNGqwjUVQ==}
+
   dunder-proto@1.0.1:
     resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
     engines: {node: '>= 0.4'}
@@ -2165,6 +2351,9 @@ packages:
   electron-to-chromium@1.5.286:
     resolution: {integrity: sha512-9tfDXhJ4RKFNerfjdCcZfufu49vg620741MNs26a9+bhLThdB+plgMeou98CAaHu/WATj2iHOOHTp1hWtABj2A==}
 
+  ellipsize@0.6.2:
+    resolution: {integrity: sha512-zB4m5iEETalVrrP8RzcF0Qzqyw3MkUQ4R43NiczRAp0Hpp0+0bRdwKnoaFXyJoVJCipm2/3xc7Hkg0OOAorUPw==}
+
   emoji-regex@9.2.2:
     resolution: {integrity: sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==}
 
@@ -2362,6 +2551,10 @@ packages:
   eventemitter3@5.0.4:
     resolution: {integrity: sha512-mlsTRyGaPBjPedk6Bvw+aqbsXDtoAyAzm5MO7JgU+yVRyMQ5O8bD4Kcci7BS85f93veegeCPkL8R4GLClnjLFw==}
 
+  events@3.3.0:
+    resolution: {integrity: sha512-mQw+2fkQbALzQ7V0MY0IqdnXNOeTtP4r0lN9z7AAawCXgqea7bDii20AYrIBrFd/Hx0M2Ocz6S111CaFkUcb0Q==}
+    engines: {node: '>=0.8.x'}
+
   eventsource-parser@3.0.6:
     resolution: {integrity: sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg==}
     engines: {node: '>=18.0.0'}
@@ -2415,6 +2608,12 @@ packages:
       picomatch:
         optional: true
 
+  fflate@0.6.10:
+    resolution: {integrity: sha512-IQrh3lEPM93wVCEczc9SaAOvkmcoQn/G8Bo1e8ZPlY3X3bnAxWaBdvTdvM1hP62iZp0BXWDy4vTAy4fF0+Dlpg==}
+
+  fflate@0.8.2:
+    resolution: {integrity: sha512-cPJU47OaAoCbg0pBvzsgpTPhmhqI5eJjh/JIu8tPj5q+T7iLvW/JAYUqmE7KOB4R1ZyEhzBaIQpQpardBF5z8A==}
+
   file-entry-cache@8.0.0:
     resolution: {integrity: sha512-XXTUwCvisa5oacNGRP9SfNtYBNAMi+RPwBFmblZEF7N7swHYQS6/Zfk7SRwx4D5j3CH211YNRco1DEMNVfZCnQ==}
     engines: {node: '>=16.0.0'}
@@ -2534,10 +2733,56 @@ packages:
   globrex@0.1.2:
     resolution: {integrity: sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==}
 
+  glsl-noise@0.0.0:
+    resolution: {integrity: sha512-b/ZCF6amfAUb7dJM/MxRs7AetQEahYzJ8PtgfrmEdtw6uyGOr+ZSGtgjFm6mfsBkxJ4d2W7kg+Nlqzqvn3Bc0w==}
+
   gopd@1.2.0:
     resolution: {integrity: sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==}
     engines: {node: '>= 0.4'}
 
+  graphology-indices@0.17.0:
+    resolution: {integrity: sha512-A7RXuKQvdqSWOpn7ZVQo4S33O0vCfPBnUSf7FwE0zNCasqwZVUaCXePuWo5HBpWw68KJcwObZDHpFk6HKH6MYQ==}
+    peerDependencies:
+      graphology-types: '>=0.20.0'
+
+  graphology-layout-forceatlas2@0.10.1:
+    resolution: {integrity: sha512-ogzBeF1FvWzjkikrIFwxhlZXvD2+wlY54lqhsrWprcdPjopM2J9HoMweUmIgwaTvY4bUYVimpSsOdvDv1gPRFQ==}
+    peerDependencies:
+      graphology-types: '>=0.19.0'
+
+  graphology-layout-noverlap@0.4.2:
+    resolution: {integrity: sha512-13WwZSx96zim6l1dfZONcqLh3oqyRcjIBsqz2c2iJ3ohgs3605IDWjldH41Gnhh462xGB1j6VGmuGhZ2FKISXA==}
+    peerDependencies:
+      graphology-types: '>=0.19.0'
+
+  graphology-layout@0.6.1:
+    resolution: {integrity: sha512-m9aMvbd0uDPffUCFPng5ibRkb2pmfNvdKjQWeZrf71RS1aOoat5874+DcyNfMeCT4aQguKC7Lj9eCbqZj/h8Ag==}
+    peerDependencies:
+      graphology-types: '>=0.19.0'
+
+  graphology-metrics@2.4.0:
+    resolution: {integrity: sha512-7WOfOP+mFLCaTJx55Qg4eY+211vr1/b3D/R3biz3SXGhAaCVcWYkfabnmO4O4WBNWANEHtVnFrGgJ0kj6MM6xw==}
+    peerDependencies:
+      graphology-types: '>=0.20.0'
+
+  graphology-shortest-path@2.1.0:
+    resolution: {integrity: sha512-KbT9CTkP/u72vGEJzyRr24xFC7usI9Es3LMmCPHGwQ1KTsoZjxwA9lMKxfU0syvT/w+7fZUdB/Hu2wWYcJBm6Q==}
+    peerDependencies:
+      graphology-types: '>=0.20.0'
+
+  graphology-types@0.24.8:
+    resolution: {integrity: sha512-hDRKYXa8TsoZHjgEaysSRyPdT6uB78Ci8WnjgbStlQysz7xR52PInxNsmnB7IBOM1BhikxkNyCVEFgmPKnpx3Q==}
+
+  graphology-utils@2.5.2:
+    resolution: {integrity: sha512-ckHg8MXrXJkOARk56ZaSCM1g1Wihe2d6iTmz1enGOz4W/l831MBCKSayeFQfowgF8wd+PQ4rlch/56Vs/VZLDQ==}
+    peerDependencies:
+      graphology-types: '>=0.23.0'
+
+  graphology@0.26.0:
+    resolution: {integrity: sha512-8SSImzgUUYC89Z042s+0r/vMibY7GX/Emz4LDO5e7jYXhuoWfHISPFJYjpRLUSJGq6UQ6xlenvX1p/hJdfXuXg==}
+    peerDependencies:
+      graphology-types: '>=0.24.0'
+
   guess-json-indent@3.0.1:
     resolution: {integrity: sha512-LWZ3Vr8BG7DHE3TzPYFqkhjNRw4vYgFSsv2nfMuHklAlOfiy54/EwiDQuQfFVLxENCVv20wpbjfTayooQHrEhQ==}
     engines: {node: '>=18.18.0'}
@@ -2639,6 +2884,12 @@ packages:
   highlightjs-curl@1.3.0:
     resolution: {integrity: sha512-50UEfZq1KR0Lfk2Tr6xb/MUIZH3h10oNC0OTy9g7WELcs5Fgy/mKN1vEhuKTkKbdo8vr5F9GXstu2eLhApfQ3A==}
 
+  hls.js@1.6.15:
+    resolution: {integrity: sha512-E3a5VwgXimGHwpRGV+WxRTKeSp2DW5DI5MWv34ulL3t5UNmyJWCQ1KmLEHbYzcfThfXG8amBL+fCYPneGHC4VA==}
+
+  hold-event@1.1.2:
+    resolution: {integrity: sha512-Bx0A6OBY70cs23orUWk0DuBAAeJjEbmyg8Gnye9+M8+XeWy2CcmRyfiJhTnQQz9s25r9SYjici3URy176MFs5A==}
+
   hookable@6.0.1:
     resolution: {integrity: sha512-uKGyY8BuzN/a5gvzvA+3FVWo0+wUjgtfSdnmjtrOVwQCZPHpHDH2WRO3VZSOeluYrHoDCiXFffZXs8Dj1ULWtw==}
 
@@ -2682,6 +2933,9 @@ packages:
     resolution: {integrity: sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==}
     engines: {node: '>= 4'}
 
+  immediate@3.0.6:
+    resolution: {integrity: sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ==}
+
   immer@10.2.0:
     resolution: {integrity: sha512-d/+XTN3zfODyjr89gM3mPq1WNX2B8pYsu7eORitdwyA2sBubnTl3laYlBk4sXY5FUa5qTZGBDPJICVbvqzjlbw==}
 
@@ -2819,6 +3073,9 @@ packages:
   is-potential-custom-element-name@1.0.1:
     resolution: {integrity: sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==}
 
+  is-promise@2.2.2:
+    resolution: {integrity: sha512-+lP4/6lKUBfQjZ2pdxThZvLUAafmZb8OAxFb8XXtiQmS35INgr85hdOGoEs124ez1FCnZJt6jau/T+alh58QFQ==}
+
   is-regex@1.2.1:
     resolution: {integrity: sha512-MjYsKHO5O7mCsmRGxWcLWheFqN9DJ/2TmngvjKXihe6efViPqc274+Fx/4fYj/r03+ESvBdTXK0V6tA3rgez1g==}
     engines: {node: '>= 0.4'}
@@ -2869,6 +3126,11 @@ packages:
     resolution: {integrity: sha512-H0dkQoCa3b2VEeKQBOxFph+JAbcrQdE7KC0UkqwpLmv2EC4P41QXP+rqo9wYodACiG5/WM5s9oDApTU8utwj9g==}
     engines: {node: '>= 0.4'}
 
+  its-fine@2.0.0:
+    resolution: {integrity: sha512-KLViCmWx94zOvpLwSlsx6yOCeMhZYaxrJV87Po5k/FoZzcPSahvK5qJ7fYhS61sZi5ikmh2S3Hz55A2l3U69ng==}
+    peerDependencies:
+      react: ^19.0.0
+
   jiti@1.21.7:
     resolution: {integrity: sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A==}
     hasBin: true
@@ -2954,6 +3216,9 @@ packages:
     resolution: {integrity: sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==}
     engines: {node: '>= 0.8.0'}
 
+  lie@3.3.0:
+    resolution: {integrity: sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==}
+
   lilconfig@3.1.3:
     resolution: {integrity: sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw==}
     engines: {node: '>=14'}
@@ -2991,6 +3256,12 @@ packages:
     resolution: {integrity: sha512-h5bgJWpxJNswbU7qCrV0tIKQCaS3blPDrqKWx+QxzuzL1zGUzij9XCWLrSLsJPu5t+eWA/ycetzYAO5IOMcWAQ==}
     hasBin: true
 
+  maath@0.10.8:
+    resolution: {integrity: sha512-tRvbDF0Pgqz+9XUa4jjfgAQ8/aPKmQdWXilFu2tMy4GWj4NOsx99HlULO4IeREfbO3a0sA145DZYyvXPkybm0g==}
+    peerDependencies:
+      '@types/three': '>=0.134.0'
+      three: '>=0.134.0'
+
   magic-string@0.30.21:
     resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==}
 
@@ -3054,6 +3325,14 @@ packages:
     resolution: {integrity: sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==}
     engines: {node: '>= 8'}
 
+  meshline@3.3.1:
+    resolution: {integrity: sha512-/TQj+JdZkeSUOl5Mk2J7eLcYTLiQm2IDzmlSvYm7ov15anEcDJ92GHqqazxTSreeNgfnYu24kiEvvv0WlbCdFQ==}
+    peerDependencies:
+      three: '>=0.137'
+
+  meshoptimizer@1.0.1:
+    resolution: {integrity: sha512-Vix+QlA1YYT3FwmBBZ+49cE5y/b+pRrcXKqGpS5ouh33d3lSp2PoTpCw19E0cKDFWalembrHnIaZetf27a+W2g==}
+
   microdiff@1.5.0:
     resolution: {integrity: sha512-Drq+/THMvDdzRYrK0oxJmOKiC24ayUV8ahrt8l3oRK51PWt6gdtrIGrlIH3pT/lFh1z93FbAcidtsHcWbnRz8Q==}
 
@@ -3166,6 +3445,9 @@ packages:
   mkdirp-classic@0.5.3:
     resolution: {integrity: sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==}
 
+  mnemonist@0.39.8:
+    resolution: {integrity: sha512-vyWo2K3fjrUw8YeeZ1zF0fy6Mu59RHokURlld8ymdUPjMlD9EC9ov1/YPqTgqRvUN9nTr3Gqfz29LYAmu0PHPQ==}
+
   ms@2.1.3:
     resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
 
@@ -3275,6 +3557,9 @@ packages:
     resolution: {integrity: sha512-gXah6aZrcUxjWg2zR2MwouP2eHlCBzdV4pygudehaKXSGW4v2AsRQUK+lwwXhii6KFZcunEnmSUoYp5CXibxtA==}
     engines: {node: '>= 0.4'}
 
+  obliterator@2.0.5:
+    resolution: {integrity: sha512-42CPE9AhahZRsMNslczq0ctAEtqk8Eka26QofnqC346BZdHDySk3LWka23LI7ULIw11NmltpiLagIq8gBozxTw==}
+
   on-exit-leak-free@2.1.2:
     resolution: {integrity: sha512-0eJJY6hXLGf1udHwfNftBqH+g73EU4B504nZeKpz1sYRKafAghwxEJunB2O7rDZkL4PGfsMVnTXZ2EjibbqcsA==}
     engines: {node: '>=14.0.0'}
@@ -3306,6 +3591,9 @@ packages:
     resolution: {integrity: sha512-MyIV3ZA/PmyBN/ud8vV9XzwTrNtR4jFrObymZYnZqMmW0zA8Z17vnT0rBgFE/TlohB+YCHqXMgZzb3Csp49vqg==}
     engines: {node: '>=14.16'}
 
+  pandemonium@2.4.1:
+    resolution: {integrity: sha512-wRqjisUyiUfXowgm7MFH2rwJzKIr20rca5FsHXCMNm1W5YPP1hCtrZfgmQ62kP7OZ7Xt+cR858aB28lu5NX55g==}
+
   parent-module@1.0.1:
     resolution: {integrity: sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==}
     engines: {node: '>=6'}
@@ -3439,6 +3727,9 @@ packages:
     resolution: {integrity: sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==}
     engines: {node: ^10 || ^12 || >=14}
 
+  potpack@1.0.2:
+    resolution: {integrity: sha512-choctRBIV9EMT9WGAZHn3V7t0Z2pMQyl0EZE6pFc/6ml3ssw7Dlf/oAOvFwjm1HVsqfQN8GfeFyJ+d8tRzqueQ==}
+
   prebuild-install@7.1.3:
     resolution: {integrity: sha512-8Mf2cbV7x1cXPUILADGI3wuhfqWvtiLA1iclTDbFRZkgRQS0NqsPZphna9V+HyTEadheuPmjaJMsbzKQFOzLug==}
     engines: {node: '>=10'}
@@ -3463,6 +3754,9 @@ packages:
   process-warning@5.0.0:
     resolution: {integrity: sha512-a39t9ApHNx2L4+HBnQKqxxHNs1r7KF+Intd8Q/g1bUh6q0WIp9voPXJ/x0j+ZL45KF1pJd9+q2jLIRMfvEshkA==}
 
+  promise-worker-transferable@1.0.4:
+    resolution: {integrity: sha512-bN+0ehEnrXfxV2ZQvU2PetO0n4gqBD4ulq3MI1WOPLgr7/Mg9yRQkX5+0v1vagr74ZTsl7XtzlaYDo2EuCeYJw==}
+
   prop-types@15.8.1:
     resolution: {integrity: sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==}
 
@@ -3524,6 +3818,15 @@ packages:
     resolution: {integrity: sha512-z6F7K9bV85EfseRCp2bzrpyQ0Gkw1uLoCel9XBVWPg/TjRj94SkJzUTGfOa4bs7iJvBWtQG0Wq7wnI0syw3EBQ==}
     engines: {node: '>=0.10.0'}
 
+  react-use-measure@2.1.7:
+    resolution: {integrity: sha512-KrvcAo13I/60HpwGO5jpW7E9DfusKyLPLvuHlUyP5zqnmAPhNc6qTRjUQrdTADl0lpPpDVU2/Gg51UlOGHXbdg==}
+    peerDependencies:
+      react: '>=16.13'
+      react-dom: '>=16.13'
+    peerDependenciesMeta:
+      react-dom:
+        optional: true
+
   react@19.2.4:
     resolution: {integrity: sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==}
     engines: {node: '>=0.10.0'}
@@ -3545,6 +3848,13 @@ packages:
     resolution: {integrity: sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==}
     engines: {node: '>=8.10.0'}
 
+  reagraph@4.30.8:
+    resolution: {integrity: sha512-DXmG2lAM5k7LQiTQJ4sad8Ks8Q1c98303USwwN+mxpJ5GelBYLjMVG+DPct4CE8ezON1WUoE8PL3RUXiEua22Q==}
+    engines: {node: ^20.19.0 || >=22.12.0}
+    peerDependencies:
+      react: '>=16'
+      react-dom: '>=16'
+
   real-require@0.2.0:
     resolution: {integrity: sha512-57frrGM/OCTLqLOAh0mhVA9VBMHd+9U7Zb2THMGdBUoZVOtGbJzjxsYGDJ3A9AYYCP4hn6y1TVbaOfzWtm5GFg==}
     engines: {node: '>= 12.13.0'}
@@ -3763,6 +4073,15 @@ packages:
   stackback@0.0.2:
     resolution: {integrity: sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==}
 
+  stats-gl@2.4.2:
+    resolution: {integrity: sha512-g5O9B0hm9CvnM36+v7SFl39T7hmAlv541tU81ME8YeSb3i1CIP5/QdDeSB3A0la0bKNHpxpwxOVRo2wFTYEosQ==}
+    peerDependencies:
+      '@types/three': '*'
+      three: '*'
+
+  stats.js@0.17.0:
+    resolution: {integrity: sha512-hNKz8phvYLPEcRkeG1rsGmV5ChMjKDAWU7/OJJdDErPBNChQXxCo3WZurGpnWc6gZhAzEPFad1aVgyOANH1sMw==}
+
   std-env@3.10.0:
     resolution: {integrity: sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==}
 
@@ -3870,6 +4189,11 @@ packages:
     resolution: {integrity: sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==}
     engines: {node: '>= 0.4'}
 
+  suspend-react@0.1.3:
+    resolution: {integrity: sha512-aqldKgX9aZqpoDp3e8/BZ8Dm7x1pJl+qI3ZKxDN0i/IQTWUwBx/ManmlVJ3wowqbno6c2bmiIfs+Um6LbsjJyQ==}
+    peerDependencies:
+      react: '>=17.0'
+
   swrv@1.1.0:
     resolution: {integrity: sha512-pjllRDr2s0iTwiE5Isvip51dZGR7GjLH1gCSVyE8bQnbAx6xackXsFdojau+1O5u98yHF5V73HQGOFxKUXO9gQ==}
     peerDependencies:
@@ -3911,6 +4235,19 @@ packages:
     resolution: {integrity: sha512-4iMVL6HAINXWf1ZKZjIPcz5wYaOdPhtO8ATvZ+Xqp3BTdaqtAwQkNmKORqcIo5YkQqGXq5cwfswDwMqqQNrpJA==}
     engines: {node: '>=20'}
 
+  three-mesh-bvh@0.8.3:
+    resolution: {integrity: sha512-4G5lBaF+g2auKX3P0yqx+MJC6oVt6sB5k+CchS6Ob0qvH0YIhuUk1eYr7ktsIpY+albCqE80/FVQGV190PmiAg==}
+    peerDependencies:
+      three: '>= 0.159.0'
+
+  three-stdlib@2.36.1:
+    resolution: {integrity: sha512-XyGQrFmNQ5O/IoKm556ftwKsBg11TIb301MB5dWNicziQBEs2g3gtOYIf7pFiLa0zI2gUwhtCjv9fmjnxKZ1Cg==}
+    peerDependencies:
+      three: '>=0.128.0'
+
+  three@0.180.0:
+    resolution: {integrity: sha512-o+qycAMZrh+TsE01GqWUxUIKR1AL0S8pq7zDkYOQw8GqfX8b8VoCKYUoHbhiX5j+7hr8XsuHDVU6+gkQJQKg9w==}
+
   time-span@5.1.0:
     resolution: {integrity: sha512-75voc/9G4rDIJleOo4jPvN4/YC4GRZrY8yy1uU4lwrB3XEQbWve8zXoO5No4eFrGcTAMYyoY67p8jRQdtA1HbA==}
     engines: {node: '>=12'}
@@ -3962,6 +4299,19 @@ packages:
   trim-lines@3.0.1:
     resolution: {integrity: sha512-kRj8B+YHZCc9kQYdWfJB2/oUl9rA99qbowYYBtr4ui4mZyAQ2JpvVBd/6U2YloATfqBhBTSMhTpgBHtU0Mf3Rg==}
 
+  troika-three-text@0.52.4:
+    resolution: {integrity: sha512-V50EwcYGruV5rUZ9F4aNsrytGdKcXKALjEtQXIOBfhVoZU9VAqZNIoGQ3TMiooVqFAbR1w15T+f+8gkzoFzawg==}
+    peerDependencies:
+      three: '>=0.125.0'
+
+  troika-three-utils@0.52.4:
+    resolution: {integrity: sha512-NORAStSVa/BDiG52Mfudk4j1FG4jC4ILutB3foPnfGbOeIs9+G5vZLa0pnmnaftZUGm4UwSoqEpWdqvC7zms3A==}
+    peerDependencies:
+      three: '>=0.125.0'
+
+  troika-worker-utils@0.52.0:
+    resolution: {integrity: sha512-W1CpvTHykaPH5brv5VHLfQo9D1OYuo0cSBEUQFFT/nBUzM8iD6Lq2/tgG/f1OelbAS1WtaTPQzE5uM49egnngw==}
+
   trough@2.2.0:
     resolution: {integrity: sha512-tmMpK00BjZiUyVyvrBK7knerNgmgvcV/KLVyuma/SC+TQN167GrMRciANTz09+k3zW8L8t60jWO1GpfkZdjTaw==}
 
@@ -4001,6 +4351,9 @@ packages:
   tunnel-agent@0.6.0:
     resolution: {integrity: sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==}
 
+  tunnel-rat@0.1.2:
+    resolution: {integrity: sha512-lR5VHmkPhzdhrM092lI2nACsLO4QubF0/yoOhzX7c+wIpbN1GjHNzCc91QlpxBi+cnx8vVJ+Ur6vL5cEoQPFpQ==}
+
   type-check@0.4.0:
     resolution: {integrity: sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==}
     engines: {node: '>= 0.8.0'}
@@ -4092,6 +4445,10 @@ packages:
   util-deprecate@1.0.2:
     resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}
 
+  utility-types@3.11.0:
+    resolution: {integrity: sha512-6Z7Ma2aVEWisaL6TvBCy7P8rm2LQoPv6dJ7ecIaIixHcwfbJ0x7mWdbcwlIM5IGQxPZSFYeqRCqlOOeKoJYMkw==}
+    engines: {node: '>= 4'}
+
   vfile-location@5.0.3:
     resolution: {integrity: sha512-5yXvWDEgqeiYiBe1lbxYF7UMAIm/IcopxMHrMQDq3nvKcjPKIhZklUKL+AE7J7uApI4kwe2snsK+eI6UTj9EHg==}
 
@@ -4216,6 +4573,12 @@ packages:
   web-worker@1.5.0:
     resolution: {integrity: sha512-RiMReJrTAiA+mBjGONMnjVDP2u3p9R1vkcGz6gDIrOMT3oGuYwX2WRMYI9ipkphSuE5XKEhydbhNEJh4NY9mlw==}
 
+  webgl-constants@1.1.1:
+    resolution: {integrity: sha512-LkBXKjU5r9vAW7Gcu3T5u+5cvSvh5WwINdr0C+9jpzVB41cjQAP5ePArDtk/WHYdVj0GefCgM73BA7FlIiNtdg==}
+
+  webgl-sdf-generator@1.1.1:
+    resolution: {integrity: sha512-9Z0JcMTFxeE+b2x1LJTdnaT8rT8aEp7MVxkNwoycNmJWwPdzoXzMh0BjJSh/AEFP+KPYZUli814h8bJZFIZ2jA==}
+
   webidl-conversions@7.0.0:
     resolution: {integrity: sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==}
     engines: {node: '>=12'}
@@ -4339,6 +4702,24 @@ packages:
       use-sync-external-store:
         optional: true
 
+  zustand@5.0.8:
+    resolution: {integrity: sha512-gyPKpIaxY9XcO2vSMrLbiER7QMAMGOQZVRdJ6Zi782jkbzZygq5GI9nG8g+sMgitRtndwaBSl7uiqC49o1SSiw==}
+    engines: {node: '>=12.20.0'}
+    peerDependencies:
+      '@types/react': '>=18.0.0'
+      immer: '>=9.0.6'
+      react: '>=18.0.0'
+      use-sync-external-store: '>=1.2.0'
+    peerDependenciesMeta:
+      '@types/react':
+        optional: true
+      immer:
+        optional: true
+      react:
+        optional: true
+      use-sync-external-store:
+        optional: true
+
   zwitch@2.0.4:
     resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==}
 
@@ -4611,6 +4992,8 @@ snapshots:
 
   '@csstools/css-tokenizer@3.0.4': {}
 
+  '@dimforge/rapier3d-compat@0.12.0': {}
+
   '@emnapi/core@1.8.1':
     dependencies:
       '@emnapi/wasi-threads': 1.1.0
@@ -4954,6 +5337,13 @@ snapshots:
 
   '@marijn/find-cluster-break@1.0.2': {}
 
+  '@mediapipe/tasks-vision@0.10.17': {}
+
+  '@monogrid/gainmap-js@3.4.0(three@0.180.0)':
+    dependencies:
+      promise-worker-transferable: 1.0.4
+      three: 0.180.0
+
   '@napi-rs/wasm-runtime@0.2.12':
     dependencies:
       '@emnapi/core': 1.8.1
@@ -5015,6 +5405,105 @@ snapshots:
     dependencies:
       playwright: 1.58.2
 
+  '@radix-ui/react-compose-refs@1.1.2(@types/react@19.2.13)(react@19.2.4)':
+    dependencies:
+      react: 19.2.4
+    optionalDependencies:
+      '@types/react': 19.2.13
+
+  '@radix-ui/react-slot@1.2.4(@types/react@19.2.13)(react@19.2.4)':
+    dependencies:
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.13)(react@19.2.4)
+      react: 19.2.4
+    optionalDependencies:
+      '@types/react': 19.2.13
+
+  '@react-spring/animated@10.0.3(react@19.2.4)':
+    dependencies:
+      '@react-spring/shared': 10.0.3(react@19.2.4)
+      '@react-spring/types': 10.0.3
+      react: 19.2.4
+
+  '@react-spring/core@10.0.3(react@19.2.4)':
+    dependencies:
+      '@react-spring/animated': 10.0.3(react@19.2.4)
+      '@react-spring/shared': 10.0.3(react@19.2.4)
+      '@react-spring/types': 10.0.3
+      react: 19.2.4
+
+  '@react-spring/rafz@10.0.3': {}
+
+  '@react-spring/shared@10.0.3(react@19.2.4)':
+    dependencies:
+      '@react-spring/rafz': 10.0.3
+      '@react-spring/types': 10.0.3
+      react: 19.2.4
+
+  '@react-spring/three@10.0.3(@react-three/fiber@9.5.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0))(react@19.2.4)(three@0.180.0)':
+    dependencies:
+      '@react-spring/animated': 10.0.3(react@19.2.4)
+      '@react-spring/core': 10.0.3(react@19.2.4)
+      '@react-spring/shared': 10.0.3(react@19.2.4)
+      '@react-spring/types': 10.0.3
+      '@react-three/fiber': 9.5.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0)
+      react: 19.2.4
+      three: 0.180.0
+
+  '@react-spring/types@10.0.3': {}
+
+  '@react-three/drei@10.7.7(@react-three/fiber@9.5.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0))(@types/react@19.2.13)(@types/three@0.183.1)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0)':
+    dependencies:
+      '@babel/runtime': 7.28.6
+      '@mediapipe/tasks-vision': 0.10.17
+      '@monogrid/gainmap-js': 3.4.0(three@0.180.0)
+      '@react-three/fiber': 9.5.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0)
+      '@use-gesture/react': 10.3.1(react@19.2.4)
+      camera-controls: 3.1.2(three@0.180.0)
+      cross-env: 7.0.3
+      detect-gpu: 5.0.70
+      glsl-noise: 0.0.0
+      hls.js: 1.6.15
+      maath: 0.10.8(@types/three@0.183.1)(three@0.180.0)
+      meshline: 3.3.1(three@0.180.0)
+      react: 19.2.4
+      stats-gl: 2.4.2(@types/three@0.183.1)(three@0.180.0)
+      stats.js: 0.17.0
+      suspend-react: 0.1.3(react@19.2.4)
+      three: 0.180.0
+      three-mesh-bvh: 0.8.3(three@0.180.0)
+      three-stdlib: 2.36.1(three@0.180.0)
+      troika-three-text: 0.52.4(three@0.180.0)
+      tunnel-rat: 0.1.2(@types/react@19.2.13)(immer@11.1.3)(react@19.2.4)
+      use-sync-external-store: 1.6.0(react@19.2.4)
+      utility-types: 3.11.0
+      zustand: 5.0.11(@types/react@19.2.13)(immer@11.1.3)(react@19.2.4)(use-sync-external-store@1.6.0(react@19.2.4))
+    optionalDependencies:
+      react-dom: 19.2.4(react@19.2.4)
+    transitivePeerDependencies:
+      - '@types/react'
+      - '@types/three'
+      - immer
+
+  '@react-three/fiber@9.5.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0)':
+    dependencies:
+      '@babel/runtime': 7.28.6
+      '@types/webxr': 0.5.24
+      base64-js: 1.5.1
+      buffer: 6.0.3
+      its-fine: 2.0.0(@types/react@19.2.13)(react@19.2.4)
+      react: 19.2.4
+      react-use-measure: 2.1.7(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+      scheduler: 0.27.0
+      suspend-react: 0.1.3(react@19.2.4)
+      three: 0.180.0
+      use-sync-external-store: 1.6.0(react@19.2.4)
+      zustand: 5.0.11(@types/react@19.2.13)(immer@11.1.3)(react@19.2.4)(use-sync-external-store@1.6.0(react@19.2.4))
+    optionalDependencies:
+      react-dom: 19.2.4(react@19.2.4)
+    transitivePeerDependencies:
+      - '@types/react'
+      - immer
+
   '@reactflow/background@11.3.14(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)':
     dependencies:
       '@reactflow/core': 11.11.4(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
@@ -5612,6 +6101,8 @@ snapshots:
       '@types/react': 19.2.13
       '@types/react-dom': 19.2.3(@types/react@19.2.13)
 
+  '@tweenjs/tween.js@23.1.3': {}
+
   '@tybys/wasm-util@0.10.1':
     dependencies:
       tslib: 2.8.1
@@ -5765,6 +6256,8 @@ snapshots:
     dependencies:
       '@types/ms': 2.1.0
 
+  '@types/draco3d@1.4.10': {}
+
   '@types/estree-jsx@1.0.5':
     dependencies:
       '@types/estree': 1.0.8
@@ -5793,14 +6286,32 @@ snapshots:
     dependencies:
       undici-types: 6.21.0
 
+  '@types/offscreencanvas@2019.7.3': {}
+
   '@types/react-dom@19.2.3(@types/react@19.2.13)':
     dependencies:
       '@types/react': 19.2.13
 
+  '@types/react-reconciler@0.28.9(@types/react@19.2.13)':
+    dependencies:
+      '@types/react': 19.2.13
+
   '@types/react@19.2.13':
     dependencies:
       csstype: 3.2.3
 
+  '@types/stats.js@0.17.4': {}
+
+  '@types/three@0.183.1':
+    dependencies:
+      '@dimforge/rapier3d-compat': 0.12.0
+      '@tweenjs/tween.js': 23.1.3
+      '@types/stats.js': 0.17.4
+      '@types/webxr': 0.5.24
+      '@webgpu/types': 0.1.69
+      fflate: 0.8.2
+      meshoptimizer: 1.0.1
+
   '@types/unist@2.0.11': {}
 
   '@types/unist@3.0.3': {}
@@ -5811,6 +6322,8 @@ snapshots:
 
   '@types/web-bluetooth@0.0.21': {}
 
+  '@types/webxr@0.5.24': {}
+
   '@types/ws@8.18.1':
     dependencies:
       '@types/node': 22.19.9
@@ -5973,6 +6486,13 @@ snapshots:
   '@unrs/resolver-binding-win32-x64-msvc@1.11.1':
     optional: true
 
+  '@use-gesture/core@10.3.1': {}
+
+  '@use-gesture/react@10.3.1(react@19.2.4)':
+    dependencies:
+      '@use-gesture/core': 10.3.1
+      react: 19.2.4
+
   '@vercel/oidc@3.1.0': {}
 
   '@vitejs/plugin-react@4.7.0(vite@5.4.21(@types/node@22.19.9))':
@@ -6124,6 +6644,8 @@ snapshots:
     dependencies:
       vue: 3.5.29(typescript@5.9.3)
 
+  '@webgpu/types@0.1.69': {}
+
   '@xyflow/react@12.10.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)':
     dependencies:
       '@xyflow/system': 0.0.74
@@ -6147,6 +6669,8 @@ snapshots:
       d3-selection: 3.0.0
       d3-zoom: 3.0.0
 
+  '@yomguithereal/helpers@1.1.1': {}
+
   acorn-jsx@5.3.2(acorn@8.15.0):
     dependencies:
       acorn: 8.15.0
@@ -6319,6 +6843,10 @@ snapshots:
       bindings: 1.5.0
       prebuild-install: 7.1.3
 
+  bidi-js@1.0.3:
+    dependencies:
+      require-from-string: 2.0.2
+
   binary-extensions@2.3.0: {}
 
   bindings@1.5.0:
@@ -6357,6 +6885,11 @@ snapshots:
       base64-js: 1.5.1
       ieee754: 1.2.1
 
+  buffer@6.0.3:
+    dependencies:
+      base64-js: 1.5.1
+      ieee754: 1.2.1
+
   cac@6.7.14: {}
 
   call-bind-apply-helpers@1.0.2:
@@ -6380,6 +6913,10 @@ snapshots:
 
   camelcase-css@2.0.1: {}
 
+  camera-controls@3.1.2(three@0.180.0):
+    dependencies:
+      three: 0.180.0
+
   caniuse-lite@1.0.30001769: {}
 
   ccount@2.0.1: {}
@@ -6423,8 +6960,14 @@ snapshots:
 
   chownr@1.1.4: {}
 
+  class-variance-authority@0.7.1:
+    dependencies:
+      clsx: 2.1.1
+
   classcat@5.0.5: {}
 
+  classnames@2.5.1: {}
+
   client-only@0.0.1: {}
 
   clsx@2.1.1: {}
@@ -6449,6 +6992,10 @@ snapshots:
 
   crelt@1.0.6: {}
 
+  cross-env@7.0.3:
+    dependencies:
+      cross-spawn: 7.0.6
+
   cross-spawn@7.0.6:
     dependencies:
       path-key: 3.1.1
@@ -6482,6 +7029,8 @@ snapshots:
     dependencies:
       internmap: 2.0.3
 
+  d3-binarytree@1.0.2: {}
+
   d3-color@3.1.0: {}
 
   d3-dispatch@3.0.1: {}
@@ -6493,14 +7042,28 @@ snapshots:
 
   d3-ease@3.0.1: {}
 
+  d3-force-3d@3.0.6:
+    dependencies:
+      d3-binarytree: 1.0.2
+      d3-dispatch: 3.0.1
+      d3-octree: 1.1.0
+      d3-quadtree: 3.0.1
+      d3-timer: 3.0.1
+
   d3-format@3.1.2: {}
 
+  d3-hierarchy@3.1.2: {}
+
   d3-interpolate@3.0.1:
     dependencies:
       d3-color: 3.1.0
 
+  d3-octree@1.1.0: {}
+
   d3-path@3.1.0: {}
 
+  d3-quadtree@3.0.1: {}
+
   d3-scale@4.0.2:
     dependencies:
       d3-array: 3.2.4
@@ -6611,6 +7174,10 @@ snapshots:
 
   dequal@2.0.3: {}
 
+  detect-gpu@5.0.70:
+    dependencies:
+      webgl-constants: 1.1.1
+
   detect-libc@2.1.2: {}
 
   devlop@1.1.0:
@@ -6629,6 +7196,8 @@ snapshots:
 
   dom-accessibility-api@0.6.3: {}
 
+  draco3d@1.5.7: {}
+
   dunder-proto@1.0.1:
     dependencies:
       call-bind-apply-helpers: 1.0.2
@@ -6637,6 +7206,8 @@ snapshots:
 
   electron-to-chromium@1.5.286: {}
 
+  ellipsize@0.6.2: {}
+
   emoji-regex@9.2.2: {}
 
   end-of-stream@1.4.5:
@@ -6997,6 +7568,8 @@ snapshots:
 
   eventemitter3@5.0.4: {}
 
+  events@3.3.0: {}
+
   eventsource-parser@3.0.6: {}
 
   expand-template@2.0.3: {}
@@ -7041,6 +7614,10 @@ snapshots:
     optionalDependencies:
       picomatch: 4.0.3
 
+  fflate@0.6.10: {}
+
+  fflate@0.8.2: {}
+
   file-entry-cache@8.0.0:
     dependencies:
       flat-cache: 4.0.1
@@ -7155,8 +7732,60 @@ snapshots:
 
   globrex@0.1.2: {}
 
+  glsl-noise@0.0.0: {}
+
   gopd@1.2.0: {}
 
+  graphology-indices@0.17.0(graphology-types@0.24.8):
+    dependencies:
+      graphology-types: 0.24.8
+      graphology-utils: 2.5.2(graphology-types@0.24.8)
+      mnemonist: 0.39.8
+
+  graphology-layout-forceatlas2@0.10.1(graphology-types@0.24.8):
+    dependencies:
+      graphology-types: 0.24.8
+      graphology-utils: 2.5.2(graphology-types@0.24.8)
+
+  graphology-layout-noverlap@0.4.2(graphology-types@0.24.8):
+    dependencies:
+      graphology-types: 0.24.8
+      graphology-utils: 2.5.2(graphology-types@0.24.8)
+
+  graphology-layout@0.6.1(graphology-types@0.24.8):
+    dependencies:
+      graphology-types: 0.24.8
+      graphology-utils: 2.5.2(graphology-types@0.24.8)
+      pandemonium: 2.4.1
+
+  graphology-metrics@2.4.0(graphology-types@0.24.8):
+    dependencies:
+      graphology-indices: 0.17.0(graphology-types@0.24.8)
+      graphology-shortest-path: 2.1.0(graphology-types@0.24.8)
+      graphology-types: 0.24.8
+      graphology-utils: 2.5.2(graphology-types@0.24.8)
+      mnemonist: 0.39.8
+      pandemonium: 2.4.1
+
+  graphology-shortest-path@2.1.0(graphology-types@0.24.8):
+    dependencies:
+      '@yomguithereal/helpers': 1.1.1
+      graphology-indices: 0.17.0(graphology-types@0.24.8)
+      graphology-types: 0.24.8
+      graphology-utils: 2.5.2(graphology-types@0.24.8)
+      mnemonist: 0.39.8
+
+  graphology-types@0.24.8: {}
+
+  graphology-utils@2.5.2(graphology-types@0.24.8):
+    dependencies:
+      graphology-types: 0.24.8
+
+  graphology@0.26.0(graphology-types@0.24.8):
+    dependencies:
+      events: 3.3.0
+      graphology-types: 0.24.8
+
   guess-json-indent@3.0.1: {}
 
   has-bigints@1.1.0: {}
@@ -7345,6 +7974,10 @@ snapshots:
 
   highlightjs-curl@1.3.0: {}
 
+  hls.js@1.6.15: {}
+
+  hold-event@1.1.2: {}
+
   hookable@6.0.1: {}
 
   html-encoding-sniffer@4.0.0:
@@ -7385,6 +8018,8 @@ snapshots:
 
   ignore@7.0.5: {}
 
+  immediate@3.0.6: {}
+
   immer@10.2.0: {}
 
   immer@11.1.3: {}
@@ -7513,6 +8148,8 @@ snapshots:
 
   is-potential-custom-element-name@1.0.1: {}
 
+  is-promise@2.2.2: {}
+
   is-regex@1.2.1:
     dependencies:
       call-bound: 1.0.4
@@ -7567,6 +8204,13 @@ snapshots:
       has-symbols: 1.1.0
       set-function-name: 2.0.2
 
+  its-fine@2.0.0(@types/react@19.2.13)(react@19.2.4):
+    dependencies:
+      '@types/react-reconciler': 0.28.9(@types/react@19.2.13)
+      react: 19.2.4
+    transitivePeerDependencies:
+      - '@types/react'
+
   jiti@1.21.7: {}
 
   joycon@3.1.1: {}
@@ -7652,6 +8296,10 @@ snapshots:
       prelude-ls: 1.2.1
       type-check: 0.4.0
 
+  lie@3.3.0:
+    dependencies:
+      immediate: 3.0.6
+
   lilconfig@3.1.3: {}
 
   lines-and-columns@1.2.4: {}
@@ -7684,6 +8332,11 @@ snapshots:
 
   lz-string@1.5.0: {}
 
+  maath@0.10.8(@types/three@0.183.1)(three@0.180.0):
+    dependencies:
+      '@types/three': 0.183.1
+      three: 0.180.0
+
   magic-string@0.30.21:
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.5
@@ -7853,6 +8506,12 @@ snapshots:
 
   merge2@1.4.1: {}
 
+  meshline@3.3.1(three@0.180.0):
+    dependencies:
+      three: 0.180.0
+
+  meshoptimizer@1.0.1: {}
+
   microdiff@1.5.0: {}
 
   micromark-core-commonmark@2.0.3:
@@ -8067,6 +8726,10 @@ snapshots:
 
   mkdirp-classic@0.5.3: {}
 
+  mnemonist@0.39.8:
+    dependencies:
+      obliterator: 2.0.5
+
   ms@2.1.3: {}
 
   mz@2.7.0:
@@ -8174,6 +8837,8 @@ snapshots:
       define-properties: 1.2.1
       es-object-atoms: 1.1.1
 
+  obliterator@2.0.5: {}
+
   on-exit-leak-free@2.1.2: {}
 
   once@1.4.0:
@@ -8209,6 +8874,10 @@ snapshots:
 
   p-timeout@6.1.4: {}
 
+  pandemonium@2.4.1:
+    dependencies:
+      mnemonist: 0.39.8
+
   parent-module@1.0.1:
     dependencies:
       callsites: 3.1.0
@@ -8341,6 +9010,8 @@ snapshots:
       picocolors: 1.1.1
       source-map-js: 1.2.1
 
+  potpack@1.0.2: {}
+
   prebuild-install@7.1.3:
     dependencies:
       detect-libc: 2.1.2
@@ -8372,6 +9043,11 @@ snapshots:
 
   process-warning@5.0.0: {}
 
+  promise-worker-transferable@1.0.4:
+    dependencies:
+      is-promise: 2.2.2
+      lie: 3.3.0
+
   prop-types@15.8.1:
     dependencies:
       loose-envify: 1.4.0
@@ -8453,6 +9129,12 @@ snapshots:
 
   react-refresh@0.17.0: {}
 
+  react-use-measure@2.1.7(react-dom@19.2.4(react@19.2.4))(react@19.2.4):
+    dependencies:
+      react: 19.2.4
+    optionalDependencies:
+      react-dom: 19.2.4(react@19.2.4)
+
   react@19.2.4: {}
 
   reactflow@11.11.4(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4):
@@ -8483,6 +9165,43 @@ snapshots:
     dependencies:
       picomatch: 2.3.1
 
+  reagraph@4.30.8(@types/react@19.2.13)(@types/three@0.183.1)(graphology-types@0.24.8)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(use-sync-external-store@1.6.0(react@19.2.4)):
+    dependencies:
+      '@react-spring/three': 10.0.3(@react-three/fiber@9.5.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0))(react@19.2.4)(three@0.180.0)
+      '@react-three/drei': 10.7.7(@react-three/fiber@9.5.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0))(@types/react@19.2.13)(@types/three@0.183.1)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0)
+      '@react-three/fiber': 9.5.0(@types/react@19.2.13)(immer@11.1.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(three@0.180.0)
+      '@use-gesture/react': 10.3.1(react@19.2.4)
+      camera-controls: 3.1.2(three@0.180.0)
+      classnames: 2.5.1
+      d3-array: 3.2.4
+      d3-force-3d: 3.0.6
+      d3-hierarchy: 3.1.2
+      d3-scale: 4.0.2
+      ellipsize: 0.6.2
+      graphology: 0.26.0(graphology-types@0.24.8)
+      graphology-layout: 0.6.1(graphology-types@0.24.8)
+      graphology-layout-forceatlas2: 0.10.1(graphology-types@0.24.8)
+      graphology-layout-noverlap: 0.4.2(graphology-types@0.24.8)
+      graphology-metrics: 2.4.0(graphology-types@0.24.8)
+      graphology-shortest-path: 2.1.0(graphology-types@0.24.8)
+      hold-event: 1.1.2
+      react: 19.2.4
+      react-dom: 19.2.4(react@19.2.4)
+      three: 0.180.0
+      three-stdlib: 2.36.1(three@0.180.0)
+      zustand: 5.0.8(@types/react@19.2.13)(immer@11.1.3)(react@19.2.4)(use-sync-external-store@1.6.0(react@19.2.4))
+    transitivePeerDependencies:
+      - '@types/react'
+      - '@types/three'
+      - expo
+      - expo-asset
+      - expo-file-system
+      - expo-gl
+      - graphology-types
+      - immer
+      - react-native
+      - use-sync-external-store
+
   real-require@0.2.0: {}
 
   recharts@3.7.0(@types/react@19.2.13)(react-dom@19.2.4(react@19.2.4))(react-is@17.0.2)(react@19.2.4)(redux@5.0.1):
@@ -8819,6 +9538,13 @@ snapshots:
 
   stackback@0.0.2: {}
 
+  stats-gl@2.4.2(@types/three@0.183.1)(three@0.180.0):
+    dependencies:
+      '@types/three': 0.183.1
+      three: 0.180.0
+
+  stats.js@0.17.0: {}
+
   std-env@3.10.0: {}
 
   stop-iteration-iterator@1.1.0:
@@ -8947,6 +9673,10 @@ snapshots:
 
   supports-preserve-symlinks-flag@1.0.0: {}
 
+  suspend-react@0.1.3(react@19.2.4):
+    dependencies:
+      react: 19.2.4
+
   swrv@1.1.0(vue@3.5.29(typescript@5.9.3)):
     dependencies:
       vue: 3.5.29(typescript@5.9.3)
@@ -9014,6 +9744,22 @@ snapshots:
     dependencies:
       real-require: 0.2.0
 
+  three-mesh-bvh@0.8.3(three@0.180.0):
+    dependencies:
+      three: 0.180.0
+
+  three-stdlib@2.36.1(three@0.180.0):
+    dependencies:
+      '@types/draco3d': 1.4.10
+      '@types/offscreencanvas': 2019.7.3
+      '@types/webxr': 0.5.24
+      draco3d: 1.5.7
+      fflate: 0.6.10
+      potpack: 1.0.2
+      three: 0.180.0
+
+  three@0.180.0: {}
+
   time-span@5.1.0:
     dependencies:
       convert-hrtime: 5.0.0
@@ -9055,6 +9801,20 @@ snapshots:
 
   trim-lines@3.0.1: {}
 
+  troika-three-text@0.52.4(three@0.180.0):
+    dependencies:
+      bidi-js: 1.0.3
+      three: 0.180.0
+      troika-three-utils: 0.52.4(three@0.180.0)
+      troika-worker-utils: 0.52.0
+      webgl-sdf-generator: 1.1.1
+
+  troika-three-utils@0.52.4(three@0.180.0):
+    dependencies:
+      three: 0.180.0
+
+  troika-worker-utils@0.52.0: {}
+
   trough@2.2.0: {}
 
   truncate-json@3.0.1:
@@ -9088,6 +9848,14 @@ snapshots:
     dependencies:
       safe-buffer: 5.2.1
 
+  tunnel-rat@0.1.2(@types/react@19.2.13)(immer@11.1.3)(react@19.2.4):
+    dependencies:
+      zustand: 4.5.7(@types/react@19.2.13)(immer@11.1.3)(react@19.2.4)
+    transitivePeerDependencies:
+      - '@types/react'
+      - immer
+      - react
+
   type-check@0.4.0:
     dependencies:
       prelude-ls: 1.2.1
@@ -9235,6 +10003,8 @@ snapshots:
 
   util-deprecate@1.0.2: {}
 
+  utility-types@3.11.0: {}
+
   vfile-location@5.0.3:
     dependencies:
       '@types/unist': 3.0.3
@@ -9374,6 +10144,10 @@ snapshots:
 
   web-worker@1.5.0: {}
 
+  webgl-constants@1.1.1: {}
+
+  webgl-sdf-generator@1.1.1: {}
+
   webidl-conversions@7.0.0: {}
 
   whatwg-encoding@3.1.1:
@@ -9474,4 +10248,11 @@ snapshots:
       react: 19.2.4
       use-sync-external-store: 1.6.0(react@19.2.4)
 
+  zustand@5.0.8(@types/react@19.2.13)(immer@11.1.3)(react@19.2.4)(use-sync-external-store@1.6.0(react@19.2.4)):
+    optionalDependencies:
+      '@types/react': 19.2.13
+      immer: 11.1.3
+      react: 19.2.4
+      use-sync-external-store: 1.6.0(react@19.2.4)
+
   zwitch@2.0.4: {}

scripts/check-node-version.mjs

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+
+const REQUIRED_NODE_MAJOR = 22
+
+const current = process.versions.node
+const currentMajor = Number.parseInt(current.split('.')[0] || '', 10)
+
+if (currentMajor !== REQUIRED_NODE_MAJOR) {
+  console.error(
+    [
+      `error: Mission Control requires Node ${REQUIRED_NODE_MAJOR}.x, but found ${current}.`,
+      'use `nvm use 22` (or your version manager equivalent) before installing, building, or starting the app.',
+    ].join('\n')
+  )
+  process.exit(1)
+}

scripts/deploy-standalone.sh

@@ -0,0 +1,251 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+BRANCH="${BRANCH:-$(git -C "$PROJECT_ROOT" branch --show-current)}"
+PORT="${PORT:-3000}"
+LISTEN_HOST="${MC_HOSTNAME:-0.0.0.0}"
+LOG_PATH="${LOG_PATH:-/tmp/mc.log}"
+VERIFY_HOST="${VERIFY_HOST:-127.0.0.1}"
+PID_FILE="${PID_FILE:-$PROJECT_ROOT/.next/standalone/server.pid}"
+SOURCE_DATA_DIR="$PROJECT_ROOT/.data"
+BUILD_DATA_DIR="$PROJECT_ROOT/.next/build-runtime"
+NODE_VERSION_FILE="$PROJECT_ROOT/.nvmrc"
+
+use_project_node() {
+  if [[ ! -f "$NODE_VERSION_FILE" ]]; then
+    return
+  fi
+
+  if [[ -z "${NVM_DIR:-}" ]]; then
+    export NVM_DIR="$HOME/.nvm"
+  fi
+
+  if [[ -s "$NVM_DIR/nvm.sh" ]]; then
+    # shellcheck disable=SC1090
+    source "$NVM_DIR/nvm.sh"
+    nvm use >/dev/null
+  fi
+}
+
+list_listener_pids() {
+  local combined=""
+
+  if command -v lsof >/dev/null 2>&1; then
+    combined+="$(
+      lsof -tiTCP:"$PORT" -sTCP:LISTEN 2>/dev/null || true
+    )"$'\n'
+  fi
+
+  if command -v ss >/dev/null 2>&1; then
+    combined+="$(
+      ss -ltnp 2>/dev/null | awk -v port=":$PORT" '
+        index($4, port) || index($5, port) {
+          if (match($0, /pid=[0-9]+/)) {
+            print substr($0, RSTART + 4, RLENGTH - 4)
+          }
+        }
+      '
+    )"$'\n'
+  fi
+
+  printf '%s\n' "$combined" | awk -v port="$PORT" '
+    /^[0-9]+$/ {
+      seen[$0] = 1
+    }
+    END {
+      for (pid in seen) {
+        print pid
+      }
+    }
+  ' | sort -u
+}
+
+stop_pid() {
+  local pid="$1"
+  local label="$2"
+
+  if [[ -z "$pid" ]] || ! kill -0 "$pid" 2>/dev/null; then
+    return
+  fi
+
+  echo "==> stopping $label (pid=$pid)"
+  kill "$pid" 2>/dev/null || true
+
+  for _ in $(seq 1 10); do
+    if ! kill -0 "$pid" 2>/dev/null; then
+      return
+    fi
+    sleep 1
+  done
+
+  echo "==> force stopping $label (pid=$pid)"
+  kill -9 "$pid" 2>/dev/null || true
+}
+
+stop_existing_server() {
+  local -a candidate_pids=()
+
+  if [[ -f "$PID_FILE" ]]; then
+    candidate_pids+=("$(cat "$PID_FILE" 2>/dev/null || true)")
+  fi
+
+  while IFS= read -r pid; do
+    candidate_pids+=("$pid")
+  done < <(list_listener_pids)
+
+  if command -v pgrep >/dev/null 2>&1; then
+    while IFS= read -r pid; do
+      candidate_pids+=("$pid")
+    done < <(pgrep -f "$PROJECT_ROOT/.next/standalone/server.js" || true)
+  fi
+
+  if [[ ${#candidate_pids[@]} -eq 0 ]]; then
+    return
+  fi
+
+  declare -A seen=()
+  for pid in "${candidate_pids[@]}"; do
+    [[ -z "$pid" ]] && continue
+    [[ -n "${seen[$pid]:-}" ]] && continue
+    seen[$pid]=1
+    stop_pid "$pid" "standalone server"
+  done
+
+  for _ in $(seq 1 10); do
+    if [[ -z "$(list_listener_pids | head -n1)" ]]; then
+      rm -f "$PID_FILE"
+      return
+    fi
+    sleep 1
+  done
+
+  echo "error: port $PORT is still in use after stopping existing server" >&2
+  exit 1
+}
+
+load_env() {
+  set -a
+  if [[ -f .env ]]; then
+    # shellcheck disable=SC1091
+    source .env
+  fi
+  if [[ -f .env.local ]]; then
+    # shellcheck disable=SC1091
+    source .env.local
+  fi
+  set +a
+}
+
+migrate_runtime_data_dir() {
+  local target_data_dir="${MISSION_CONTROL_DATA_DIR:-$SOURCE_DATA_DIR}"
+
+  if [[ "$target_data_dir" == "$SOURCE_DATA_DIR" ]]; then
+    return
+  fi
+
+  mkdir -p "$target_data_dir"
+
+  local source_db="$SOURCE_DATA_DIR/mission-control.db"
+  local target_db="$target_data_dir/mission-control.db"
+
+  if [[ -s "$target_db" || ! -s "$source_db" ]]; then
+    return
+  fi
+
+  echo "==> migrating runtime data to $target_data_dir"
+  if command -v sqlite3 >/dev/null 2>&1; then
+    local target_db_tmp="$target_db.tmp"
+    rm -f "$target_db_tmp"
+    sqlite3 "$source_db" ".backup '$target_db_tmp'"
+    mv "$target_db_tmp" "$target_db"
+
+    if [[ -f "$SOURCE_DATA_DIR/mission-control-tokens.json" ]]; then
+      cp "$SOURCE_DATA_DIR/mission-control-tokens.json" "$target_data_dir/mission-control-tokens.json"
+    fi
+    if [[ -d "$SOURCE_DATA_DIR/backups" ]]; then
+      rsync -a "$SOURCE_DATA_DIR/backups"/ "$target_data_dir/backups"/
+    fi
+  else
+    rsync -a \
+      --exclude 'mission-control.db-shm' \
+      --exclude 'mission-control.db-wal' \
+      --exclude '*.db-shm' \
+      --exclude '*.db-wal' \
+      "$SOURCE_DATA_DIR"/ "$target_data_dir"/
+  fi
+}
+
+cd "$PROJECT_ROOT"
+use_project_node
+
+echo "==> fetching branch $BRANCH"
+git fetch origin "$BRANCH"
+git merge --ff-only FETCH_HEAD
+
+load_env
+migrate_runtime_data_dir
+
+echo "==> stopping existing standalone server before rebuild"
+stop_existing_server
+
+echo "==> installing dependencies"
+pnpm install --frozen-lockfile
+
+echo "==> rebuilding standalone bundle"
+rm -rf .next
+mkdir -p "$BUILD_DATA_DIR"
+MISSION_CONTROL_DATA_DIR="$BUILD_DATA_DIR" \
+MISSION_CONTROL_DB_PATH="$BUILD_DATA_DIR/mission-control.db" \
+MISSION_CONTROL_TOKENS_PATH="$BUILD_DATA_DIR/mission-control-tokens.json" \
+pnpm build
+
+echo "==> starting standalone server"
+load_env
+
+PORT="$PORT" HOSTNAME="$LISTEN_HOST" nohup bash "$PROJECT_ROOT/scripts/start-standalone.sh" >"$LOG_PATH" 2>&1 &
+new_pid=$!
+echo "$new_pid" > "$PID_FILE"
+
+echo "==> verifying process and static assets"
+for _ in $(seq 1 20); do
+  if curl -fsS "http://$VERIFY_HOST:$PORT/login" >/dev/null 2>&1; then
+    break
+  fi
+  sleep 1
+done
+
+login_html="$(curl -fsS "http://$VERIFY_HOST:$PORT/login")"
+css_path="$(printf '%s\n' "$login_html" | sed -n 's|.*\(/_next/static/chunks/[^"]*\.css\).*|\1|p' | sed -n '1p')"
+if [[ -z "${css_path:-}" ]]; then
+  echo "error: no css asset found in rendered login HTML" >&2
+  exit 1
+fi
+
+listener_pid="$(list_listener_pids | head -n1)"
+if [[ -z "${listener_pid:-}" ]]; then
+  echo "error: no listener detected on port $PORT after startup" >&2
+  exit 1
+fi
+if [[ "$listener_pid" != "$new_pid" ]]; then
+  echo "error: port $PORT is owned by pid=$listener_pid, expected new pid=$new_pid" >&2
+  exit 1
+fi
+
+css_disk_path="$PROJECT_ROOT/.next/standalone/.next${css_path#/_next}"
+if [[ ! -f "$css_disk_path" ]]; then
+  echo "error: rendered css asset missing on disk: $css_disk_path" >&2
+  exit 1
+fi
+
+content_type="$(curl -fsSI "http://$VERIFY_HOST:$PORT$css_path" | awk 'BEGIN{IGNORECASE=1} /^content-type:/ {print $2}' | tr -d '\r')"
+if [[ "${content_type:-}" != text/css* ]]; then
+  echo "error: css asset served with unexpected content-type: ${content_type:-missing}" >&2
+  exit 1
+fi
+
+echo "==> deployed commit $(git rev-parse --short HEAD)"
+echo "    pid=$new_pid port=$PORT css=$css_path"

scripts/e2e-openclaw/start-e2e-server.mjs

@@ -1,9 +1,30 @@
 #!/usr/bin/env node
 import { spawn } from 'node:child_process'
 import fs from 'node:fs'
+import net from 'node:net'
 import path from 'node:path'
 import process from 'node:process'
 
+async function findAvailablePort(host = '127.0.0.1') {
+  return await new Promise((resolve, reject) => {
+    const server = net.createServer()
+    server.unref()
+    server.on('error', reject)
+    server.listen(0, host, () => {
+      const address = server.address()
+      if (!address || typeof address === 'string') {
+        server.close(() => reject(new Error('failed to resolve dynamic port')))
+        return
+      }
+      const { port } = address
+      server.close((err) => {
+        if (err) reject(err)
+        else resolve(port)
+      })
+    })
+  })
+}
+
 const modeArg = process.argv.find((arg) => arg.startsWith('--mode='))
 const mode = modeArg ? modeArg.split('=')[1] : 'local'
 if (mode !== 'local' && mode !== 'gateway') {
@@ -16,6 +37,7 @@ const fixtureSource = path.join(repoRoot, 'tests', 'fixtures', 'openclaw')
 const runtimeRoot = path.join(repoRoot, '.tmp', 'e2e-openclaw', mode)
 const dataDir = path.join(runtimeRoot, 'data')
 const mockBinDir = path.join(repoRoot, 'scripts', 'e2e-openclaw', 'bin')
+const skillsRoot = path.join(runtimeRoot, 'skills')
 
 fs.rmSync(runtimeRoot, { recursive: true, force: true })
 fs.mkdirSync(runtimeRoot, { recursive: true })
@@ -23,13 +45,14 @@ fs.mkdirSync(dataDir, { recursive: true })
 fs.cpSync(fixtureSource, runtimeRoot, { recursive: true })
 
 const gatewayHost = '127.0.0.1'
-const gatewayPort = '18789'
+const gatewayPort = String(await findAvailablePort(gatewayHost))
 
 const baseEnv = {
   ...process.env,
   API_KEY: process.env.API_KEY || 'test-api-key-e2e-12345',
   AUTH_USER: process.env.AUTH_USER || 'admin',
   AUTH_PASS: process.env.AUTH_PASS || 'admin',
+  MISSION_CONTROL_TEST_MODE: process.env.MISSION_CONTROL_TEST_MODE || '1',
   MC_DISABLE_RATE_LIMIT: '1',
   MISSION_CONTROL_DATA_DIR: dataDir,
   MISSION_CONTROL_DB_PATH: path.join(dataDir, 'mission-control.db'),
@@ -39,11 +62,17 @@ const baseEnv = {
   OPENCLAW_GATEWAY_PORT: gatewayPort,
   OPENCLAW_BIN: path.join(mockBinDir, 'openclaw'),
   CLAWDBOT_BIN: path.join(mockBinDir, 'clawdbot'),
+  MC_SKILLS_USER_AGENTS_DIR: path.join(skillsRoot, 'user-agents'),
+  MC_SKILLS_USER_CODEX_DIR: path.join(skillsRoot, 'user-codex'),
+  MC_SKILLS_PROJECT_AGENTS_DIR: path.join(skillsRoot, 'project-agents'),
+  MC_SKILLS_PROJECT_CODEX_DIR: path.join(skillsRoot, 'project-codex'),
+  MC_SKILLS_OPENCLAW_DIR: path.join(skillsRoot, 'openclaw'),
   PATH: `${mockBinDir}:${process.env.PATH || ''}`,
   E2E_GATEWAY_EXPECTED: mode === 'gateway' ? '1' : '0',
 }
 
 const children = []
+let app = null
 
 if (mode === 'gateway') {
   const gw = spawn('node', ['scripts/e2e-openclaw/mock-gateway.mjs'], {
@@ -51,11 +80,24 @@ if (mode === 'gateway') {
     env: baseEnv,
     stdio: 'inherit',
   })
+  gw.on('error', (err) => {
+    process.stderr.write(`[openclaw-e2e] mock gateway failed to start: ${String(err)}\n`)
+    shutdown('SIGTERM')
+    process.exit(1)
+  })
+  gw.on('exit', (code, signal) => {
+    const exitCode = code ?? (signal ? 1 : 0)
+    if (exitCode !== 0) {
+      process.stderr.write(`[openclaw-e2e] mock gateway exited unexpectedly (code=${exitCode}, signal=${signal ?? 'none'})\n`)
+      shutdown('SIGTERM')
+      process.exit(exitCode)
+    }
+  })
   children.push(gw)
 }
 
 const standaloneServerPath = path.join(repoRoot, '.next', 'standalone', 'server.js')
-const app = fs.existsSync(standaloneServerPath)
+app = fs.existsSync(standaloneServerPath)
   ? spawn('node', [standaloneServerPath], {
       cwd: repoRoot,
       env: {

scripts/generate-env.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# Generate a secure .env file from .env.example with random secrets.
+# Usage: bash scripts/generate-env.sh [output-path]
+#
+# If output-path is omitted, writes to .env in the project root.
+# Will NOT overwrite an existing .env unless --force is passed.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+EXAMPLE_FILE="$PROJECT_ROOT/.env.example"
+FORCE=false
+OUTPUT=""
+
+for arg in "$@"; do
+  case "$arg" in
+    --force) FORCE=true ;;
+    *) OUTPUT="$arg" ;;
+  esac
+done
+
+OUTPUT="${OUTPUT:-$PROJECT_ROOT/.env}"
+
+if [[ -f "$OUTPUT" ]] && ! $FORCE; then
+  echo "Error: $OUTPUT already exists. Use --force to overwrite."
+  exit 1
+fi
+
+if [[ ! -f "$EXAMPLE_FILE" ]]; then
+  echo "Error: .env.example not found at $EXAMPLE_FILE"
+  exit 1
+fi
+
+# Generate cryptographically random values
+generate_password() {
+  local len="${1:-24}"
+  # Use openssl if available, fallback to /dev/urandom
+  if command -v openssl &>/dev/null; then
+    openssl rand -base64 "$((len * 3 / 4 + 1))" | tr -dc 'A-Za-z0-9' | head -c "$len"
+  else
+    head -c "$((len * 2))" /dev/urandom | LC_ALL=C tr -dc 'A-Za-z0-9' | head -c "$len"
+  fi
+}
+
+generate_hex() {
+  local len="${1:-32}"
+  if command -v openssl &>/dev/null; then
+    openssl rand -hex "$((len / 2))"
+  else
+    head -c "$((len / 2))" /dev/urandom | od -An -tx1 | tr -d ' \n' | head -c "$len"
+  fi
+}
+
+AUTH_PASS="$(generate_password 24)"
+API_KEY="$(generate_hex 32)"
+AUTH_SECRET="$(generate_password 32)"
+
+# Copy .env.example and replace default secrets
+cp "$EXAMPLE_FILE" "$OUTPUT"
+
+# Replace the insecure defaults with generated values
+if [[ "$(uname)" == "Darwin" ]]; then
+  sed -i '' "s|^AUTH_PASS=.*|AUTH_PASS=$AUTH_PASS|" "$OUTPUT"
+  sed -i '' "s|^API_KEY=.*|API_KEY=$API_KEY|" "$OUTPUT"
+  sed -i '' "s|^AUTH_SECRET=.*|AUTH_SECRET=$AUTH_SECRET|" "$OUTPUT"
+else
+  sed -i "s|^AUTH_PASS=.*|AUTH_PASS=$AUTH_PASS|" "$OUTPUT"
+  sed -i "s|^API_KEY=.*|API_KEY=$API_KEY|" "$OUTPUT"
+  sed -i "s|^AUTH_SECRET=.*|AUTH_SECRET=$AUTH_SECRET|" "$OUTPUT"
+fi
+
+# Lock down permissions
+chmod 600 "$OUTPUT"
+
+echo "Generated secure .env at $OUTPUT"
+echo "  AUTH_USER: admin"
+echo "  AUTH_PASS: $AUTH_PASS"
+echo "  API_KEY:   $API_KEY"
+echo ""
+echo "Save these credentials — they are not stored elsewhere."

scripts/security-audit.sh

@@ -0,0 +1,168 @@
+#!/usr/bin/env bash
+# Mission Control Security Audit
+# Run: bash scripts/security-audit.sh [--env-file .env]
+
+set -euo pipefail
+
+SCORE=0
+MAX_SCORE=0
+ISSUES=()
+
+pass() { echo "  [PASS] $1"; ((SCORE++)); ((MAX_SCORE++)); }
+fail() { echo "  [FAIL] $1"; ISSUES+=("$1"); ((MAX_SCORE++)); }
+warn() { echo "  [WARN] $1"; ((MAX_SCORE++)); }
+info() { echo "  [INFO] $1"; }
+
+# Load .env if exists
+ENV_FILE="${1:-.env}"
+if [[ -f "$ENV_FILE" ]]; then
+  while IFS='=' read -r key value; do
+    [[ "$key" =~ ^#.*$ ]] && continue
+    [[ -z "$key" ]] && continue
+    declare "$key=$value" 2>/dev/null || true
+  done < "$ENV_FILE"
+fi
+
+echo "=== Mission Control Security Audit ==="
+echo ""
+
+# 1. .env file permissions
+echo "--- File Permissions ---"
+if [[ -f "$ENV_FILE" ]]; then
+  perms=$(stat -f '%A' "$ENV_FILE" 2>/dev/null || stat -c '%a' "$ENV_FILE" 2>/dev/null)
+  if [[ "$perms" == "600" ]]; then
+    pass ".env permissions are 600 (owner read/write only)"
+  else
+    fail ".env permissions are $perms (should be 600). Run: chmod 600 $ENV_FILE"
+  fi
+else
+  warn ".env file not found at $ENV_FILE"
+fi
+
+# 2. Default passwords check
+echo ""
+echo "--- Credentials ---"
+INSECURE_PASSWORDS=("admin" "password" "change-me-on-first-login" "changeme" "testpass123" "testpass1234")
+AUTH_PASS_VAL="${AUTH_PASS:-}"
+if [[ -z "$AUTH_PASS_VAL" ]]; then
+  fail "AUTH_PASS is not set"
+else
+  insecure=false
+  for bad in "${INSECURE_PASSWORDS[@]}"; do
+    if [[ "$AUTH_PASS_VAL" == "$bad" ]]; then
+      insecure=true; break
+    fi
+  done
+  if $insecure; then
+    fail "AUTH_PASS is set to a known insecure default"
+  elif [[ ${#AUTH_PASS_VAL} -lt 12 ]]; then
+    fail "AUTH_PASS is too short (${#AUTH_PASS_VAL} chars, minimum 12)"
+  else
+    pass "AUTH_PASS is set to a non-default value (${#AUTH_PASS_VAL} chars)"
+  fi
+fi
+
+API_KEY_VAL="${API_KEY:-}"
+if [[ -z "$API_KEY_VAL" || "$API_KEY_VAL" == "generate-a-random-key" ]]; then
+  fail "API_KEY is not set or uses the default value"
+else
+  pass "API_KEY is configured"
+fi
+
+# 3. Network config
+echo ""
+echo "--- Network Security ---"
+MC_ALLOWED="${MC_ALLOWED_HOSTS:-}"
+MC_ANY="${MC_ALLOW_ANY_HOST:-}"
+if [[ "$MC_ANY" == "1" || "$MC_ANY" == "true" ]]; then
+  fail "MC_ALLOW_ANY_HOST is enabled (any host can connect)"
+elif [[ -n "$MC_ALLOWED" ]]; then
+  pass "MC_ALLOWED_HOSTS is configured: $MC_ALLOWED"
+else
+  warn "MC_ALLOWED_HOSTS is not set (defaults apply)"
+fi
+
+# 4. Cookie/HTTPS config
+echo ""
+echo "--- HTTPS & Cookies ---"
+COOKIE_SECURE="${MC_COOKIE_SECURE:-}"
+if [[ "$COOKIE_SECURE" == "1" || "$COOKIE_SECURE" == "true" ]]; then
+  pass "MC_COOKIE_SECURE is enabled"
+else
+  warn "MC_COOKIE_SECURE is not enabled (cookies sent over HTTP)"
+fi
+
+SAMESITE="${MC_COOKIE_SAMESITE:-strict}"
+if [[ "$SAMESITE" == "strict" ]]; then
+  pass "MC_COOKIE_SAMESITE is strict"
+else
+  warn "MC_COOKIE_SAMESITE is '$SAMESITE' (strict recommended)"
+fi
+
+HSTS="${MC_ENABLE_HSTS:-}"
+if [[ "$HSTS" == "1" ]]; then
+  pass "HSTS is enabled"
+else
+  warn "HSTS is not enabled (set MC_ENABLE_HSTS=1 for HTTPS deployments)"
+fi
+
+# 5. Rate limiting
+echo ""
+echo "--- Rate Limiting ---"
+RL_DISABLED="${MC_DISABLE_RATE_LIMIT:-}"
+if [[ "$RL_DISABLED" == "1" ]]; then
+  fail "Rate limiting is disabled (MC_DISABLE_RATE_LIMIT=1)"
+else
+  pass "Rate limiting is active"
+fi
+
+# 6. Docker security (if running in Docker)
+echo ""
+echo "--- Docker Security ---"
+if command -v docker &>/dev/null; then
+  if docker ps --filter name=mission-control --format '{{.Names}}' 2>/dev/null | grep -q mission-control; then
+    ro=$(docker inspect mission-control --format '{{.HostConfig.ReadonlyRootfs}}' 2>/dev/null || echo "false")
+    if [[ "$ro" == "true" ]]; then
+      pass "Container filesystem is read-only"
+    else
+      warn "Container filesystem is writable (use read_only: true)"
+    fi
+
+    nnp=$(docker inspect mission-control --format '{{.HostConfig.SecurityOpt}}' 2>/dev/null || echo "[]")
+    if echo "$nnp" | grep -q "no-new-privileges"; then
+      pass "no-new-privileges is set"
+    else
+      warn "no-new-privileges not set"
+    fi
+
+    user=$(docker inspect mission-control --format '{{.Config.User}}' 2>/dev/null || echo "")
+    if [[ -n "$user" && "$user" != "root" && "$user" != "0" ]]; then
+      pass "Container runs as non-root user ($user)"
+    else
+      warn "Container may be running as root"
+    fi
+  else
+    info "Mission Control container not running"
+  fi
+else
+  info "Docker not installed (skipping container checks)"
+fi
+
+# Summary
+echo ""
+echo "=== Security Score: $SCORE / $MAX_SCORE ==="
+if [[ ${#ISSUES[@]} -gt 0 ]]; then
+  echo ""
+  echo "Issues to fix:"
+  for issue in "${ISSUES[@]}"; do
+    echo "  - $issue"
+  done
+fi
+
+if [[ $SCORE -eq $MAX_SCORE ]]; then
+  echo "All checks passed!"
+elif [[ $SCORE -ge $((MAX_SCORE * 7 / 10)) ]]; then
+  echo "Good security posture with minor improvements needed."
+else
+  echo "Security improvements recommended before production use."
+fi

scripts/smoke-staging.mjs

@@ -0,0 +1,168 @@
+#!/usr/bin/env node
+const baseUrl = (process.env.STAGING_BASE_URL || process.env.BASE_URL || '').replace(/\/$/, '')
+const apiKey = process.env.STAGING_API_KEY || process.env.API_KEY || ''
+const authUser = process.env.STAGING_AUTH_USER || process.env.AUTH_USER || ''
+const authPass = process.env.STAGING_AUTH_PASS || process.env.AUTH_PASS || ''
+
+if (!baseUrl) {
+  console.error('Missing STAGING_BASE_URL (or BASE_URL).')
+  process.exit(1)
+}
+if (!apiKey) {
+  console.error('Missing STAGING_API_KEY (or API_KEY).')
+  process.exit(1)
+}
+if (!authUser || !authPass) {
+  console.error('Missing STAGING_AUTH_USER/STAGING_AUTH_PASS (or AUTH_USER/AUTH_PASS).')
+  process.exit(1)
+}
+
+const headers = {
+  'x-api-key': apiKey,
+  'content-type': 'application/json',
+}
+
+let createdProjectId = null
+let createdTaskId = null
+let createdAgentId = null
+
+async function call(path, options = {}) {
+  const res = await fetch(`${baseUrl}${path}`, options)
+  const text = await res.text()
+  let body = null
+  try {
+    body = text ? JSON.parse(text) : null
+  } catch {
+    body = { raw: text }
+  }
+  return { res, body }
+}
+
+function assertStatus(actual, expected, label) {
+  if (actual !== expected) {
+    throw new Error(`${label} failed: expected ${expected}, got ${actual}`)
+  }
+  console.log(`PASS ${label}`)
+}
+
+async function run() {
+  const login = await call('/api/auth/login', {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ username: authUser, password: authPass }),
+  })
+  assertStatus(login.res.status, 200, 'login')
+
+  const workspaces = await call('/api/workspaces', { headers })
+  assertStatus(workspaces.res.status, 200, 'GET /api/workspaces')
+
+  const suffix = `${Date.now()}-${Math.random().toString(36).slice(2, 7)}`
+  const ticketPrefix = `S${String(Date.now()).slice(-5)}`
+
+  const projectCreate = await call('/api/projects', {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({
+      name: `staging-smoke-${suffix}`,
+      ticket_prefix: ticketPrefix,
+    }),
+  })
+  assertStatus(projectCreate.res.status, 201, 'POST /api/projects')
+  createdProjectId = projectCreate.body?.project?.id
+  if (!createdProjectId) throw new Error('project id missing')
+
+  const projectGet = await call(`/api/projects/${createdProjectId}`, { headers })
+  assertStatus(projectGet.res.status, 200, 'GET /api/projects/[id]')
+
+  const projectPatch = await call(`/api/projects/${createdProjectId}`, {
+    method: 'PATCH',
+    headers,
+    body: JSON.stringify({ description: 'staging smoke update' }),
+  })
+  assertStatus(projectPatch.res.status, 200, 'PATCH /api/projects/[id]')
+
+  const agentCreate = await call('/api/agents', {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({ name: `smoke-agent-${suffix}`, role: 'tester' }),
+  })
+  assertStatus(agentCreate.res.status, 201, 'POST /api/agents')
+  createdAgentId = agentCreate.body?.agent?.id
+
+  const assign = await call(`/api/projects/${createdProjectId}/agents`, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({ agent_name: `smoke-agent-${suffix}`, role: 'member' }),
+  })
+  assertStatus(assign.res.status, 201, 'POST /api/projects/[id]/agents')
+
+  const projectTasksCreate = await call('/api/tasks', {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({
+      title: `smoke-task-${suffix}`,
+      project_id: createdProjectId,
+      priority: 'medium',
+      status: 'inbox',
+    }),
+  })
+  assertStatus(projectTasksCreate.res.status, 201, 'POST /api/tasks (project scoped)')
+  createdTaskId = projectTasksCreate.body?.task?.id
+
+  const projectTasksGet = await call(`/api/projects/${createdProjectId}/tasks`, { headers })
+  assertStatus(projectTasksGet.res.status, 200, 'GET /api/projects/[id]/tasks')
+
+  const unassign = await call(`/api/projects/${createdProjectId}/agents?agent_name=${encodeURIComponent(`smoke-agent-${suffix}`)}`, {
+    method: 'DELETE',
+    headers,
+  })
+  assertStatus(unassign.res.status, 200, 'DELETE /api/projects/[id]/agents')
+
+  if (createdTaskId) {
+    const deleteTask = await call(`/api/tasks/${createdTaskId}`, {
+      method: 'DELETE',
+      headers,
+    })
+    assertStatus(deleteTask.res.status, 200, 'DELETE /api/tasks/[id]')
+    createdTaskId = null
+  }
+
+  if (createdProjectId) {
+    const deleteProject = await call(`/api/projects/${createdProjectId}?mode=delete`, {
+      method: 'DELETE',
+      headers,
+    })
+    assertStatus(deleteProject.res.status, 200, 'DELETE /api/projects/[id]?mode=delete')
+    createdProjectId = null
+  }
+
+  if (createdAgentId) {
+    const deleteAgent = await call(`/api/agents/${createdAgentId}`, {
+      method: 'DELETE',
+      headers,
+    })
+    if (deleteAgent.res.status !== 200 && deleteAgent.res.status !== 404) {
+      throw new Error(`DELETE /api/agents/[id] cleanup failed: ${deleteAgent.res.status}`)
+    }
+    createdAgentId = null
+    console.log('PASS cleanup agent')
+  }
+
+  console.log(`\nSmoke test passed for ${baseUrl}`)
+}
+
+run().catch(async (error) => {
+  console.error(`\nSmoke test failed: ${error.message}`)
+
+  if (createdTaskId) {
+    await call(`/api/tasks/${createdTaskId}`, { method: 'DELETE', headers }).catch(() => {})
+  }
+  if (createdProjectId) {
+    await call(`/api/projects/${createdProjectId}?mode=delete`, { method: 'DELETE', headers }).catch(() => {})
+  }
+  if (createdAgentId) {
+    await call(`/api/agents/${createdAgentId}`, { method: 'DELETE', headers }).catch(() => {})
+  }
+
+  process.exit(1)
+})

scripts/start-standalone.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+STANDALONE_DIR="$PROJECT_ROOT/.next/standalone"
+STANDALONE_NEXT_DIR="$STANDALONE_DIR/.next"
+STANDALONE_STATIC_DIR="$STANDALONE_NEXT_DIR/static"
+SOURCE_STATIC_DIR="$PROJECT_ROOT/.next/static"
+SOURCE_PUBLIC_DIR="$PROJECT_ROOT/public"
+STANDALONE_PUBLIC_DIR="$STANDALONE_DIR/public"
+
+if [[ ! -f "$STANDALONE_DIR/server.js" ]]; then
+  echo "error: standalone server missing at $STANDALONE_DIR/server.js" >&2
+  echo "run 'pnpm build' first" >&2
+  exit 1
+fi
+
+mkdir -p "$STANDALONE_NEXT_DIR"
+
+if [[ -d "$SOURCE_STATIC_DIR" ]]; then
+  rm -rf "$STANDALONE_STATIC_DIR"
+  cp -R "$SOURCE_STATIC_DIR" "$STANDALONE_STATIC_DIR"
+fi
+
+if [[ -d "$SOURCE_PUBLIC_DIR" ]]; then
+  rm -rf "$STANDALONE_PUBLIC_DIR"
+  cp -R "$SOURCE_PUBLIC_DIR" "$STANDALONE_PUBLIC_DIR"
+fi
+
+cd "$STANDALONE_DIR"
+exec node server.js

scripts/station-doctor.sh

@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+# Mission Control Station Doctor
+# Local diagnostics — no auth required, runs on the host.
+#
+# Usage: bash scripts/station-doctor.sh [--port PORT]
+
+set -euo pipefail
+
+MC_PORT="${1:-3000}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# Parse args
+for arg in "$@"; do
+  case "$arg" in
+    --port) shift; MC_PORT="$1"; shift ;;
+  esac
+done
+
+PASS=0
+WARN=0
+FAIL=0
+
+pass() { echo "  [PASS] $1"; ((PASS++)); }
+warn() { echo "  [WARN] $1"; ((WARN++)); }
+fail() { echo "  [FAIL] $1"; ((FAIL++)); }
+info() { echo "  [INFO] $1"; }
+
+echo "=== Mission Control Station Doctor ==="
+echo ""
+
+# ── 1. Process / Container check ─────────────────────────────────────────────
+echo "--- Service Status ---"
+
+RUNNING_IN_DOCKER=false
+if command -v docker &>/dev/null; then
+  if docker ps --filter name=mission-control --format '{{.Names}}' 2>/dev/null | grep -q mission-control; then
+    RUNNING_IN_DOCKER=true
+    health=$(docker inspect mission-control --format '{{.State.Health.Status}}' 2>/dev/null || echo "none")
+    if [[ "$health" == "healthy" ]]; then
+      pass "Docker container is healthy"
+    elif [[ "$health" == "starting" ]]; then
+      warn "Docker container is starting"
+    else
+      fail "Docker container health: $health"
+    fi
+  fi
+fi
+
+if ! $RUNNING_IN_DOCKER; then
+  if pgrep -f "node.*server.js" &>/dev/null || pgrep -f "next-server" &>/dev/null; then
+    pass "Mission Control process is running"
+  else
+    fail "Mission Control process not found"
+  fi
+fi
+
+# ── 2. Port check ────────────────────────────────────────────────────────────
+echo ""
+echo "--- Network ---"
+
+if curl -sf "http://localhost:$MC_PORT/login" &>/dev/null; then
+  pass "Port $MC_PORT is responding"
+else
+  fail "Port $MC_PORT is not responding"
+fi
+
+# ── 3. API health ─────────────────────────────────────────────────────────────
+# Try unauthenticated — will get 401 but proves the server is up
+http_code=$(curl -sf -o /dev/null -w "%{http_code}" "http://localhost:$MC_PORT/api/status?action=health" 2>/dev/null || echo "000")
+if [[ "$http_code" == "200" ]]; then
+  pass "Health API responding (200)"
+elif [[ "$http_code" == "401" ]]; then
+  pass "Health API responding (auth required — expected)"
+elif [[ "$http_code" == "000" ]]; then
+  fail "Health API not reachable"
+else
+  warn "Health API returned HTTP $http_code"
+fi
+
+# ── 4. Disk space ─────────────────────────────────────────────────────────────
+echo ""
+echo "--- Disk ---"
+
+usage_pct=$(df -h "$PROJECT_ROOT" 2>/dev/null | tail -1 | awk '{for(i=1;i<=NF;i++) if($i ~ /%/) print $i}' | tr -d '%')
+if [[ -n "$usage_pct" ]]; then
+  if [[ "$usage_pct" -lt 85 ]]; then
+    pass "Disk usage: ${usage_pct}%"
+  elif [[ "$usage_pct" -lt 95 ]]; then
+    warn "Disk usage: ${usage_pct}% (getting full)"
+  else
+    fail "Disk usage: ${usage_pct}% (critical)"
+  fi
+fi
+
+# ── 5. Database integrity ────────────────────────────────────────────────────
+echo ""
+echo "--- Database ---"
+
+DB_PATH="$PROJECT_ROOT/.data/mission-control.db"
+if [[ -f "$DB_PATH" ]]; then
+  db_size=$(du -h "$DB_PATH" 2>/dev/null | cut -f1)
+  pass "Database exists ($db_size)"
+
+  # SQLite integrity check
+  if command -v sqlite3 &>/dev/null; then
+    integrity=$(sqlite3 "$DB_PATH" "PRAGMA integrity_check;" 2>/dev/null || echo "error")
+    if [[ "$integrity" == "ok" ]]; then
+      pass "Database integrity check passed"
+    else
+      fail "Database integrity check failed: $integrity"
+    fi
+
+    # WAL mode check
+    journal=$(sqlite3 "$DB_PATH" "PRAGMA journal_mode;" 2>/dev/null || echo "unknown")
+    if [[ "$journal" == "wal" ]]; then
+      pass "WAL mode enabled"
+    else
+      warn "Journal mode: $journal (WAL recommended)"
+    fi
+  else
+    info "sqlite3 not found — skipping integrity check"
+  fi
+else
+  if $RUNNING_IN_DOCKER; then
+    info "Database is inside Docker volume (cannot check directly)"
+  else
+    warn "Database not found at $DB_PATH"
+  fi
+fi
+
+# ── 6. Backup age ────────────────────────────────────────────────────────────
+echo ""
+echo "--- Backups ---"
+
+BACKUP_DIR="$PROJECT_ROOT/.data/backups"
+if [[ -d "$BACKUP_DIR" ]]; then
+  latest_backup=$(find "$BACKUP_DIR" -name "*.db" -type f 2>/dev/null | sort -r | head -1)
+  if [[ -n "$latest_backup" ]]; then
+    if [[ "$(uname)" == "Darwin" ]]; then
+      backup_age_days=$(( ($(date +%s) - $(stat -f %m "$latest_backup")) / 86400 ))
+    else
+      backup_age_days=$(( ($(date +%s) - $(stat -c %Y "$latest_backup")) / 86400 ))
+    fi
+    backup_name=$(basename "$latest_backup")
+    if [[ "$backup_age_days" -lt 1 ]]; then
+      pass "Latest backup: $backup_name (today)"
+    elif [[ "$backup_age_days" -lt 7 ]]; then
+      pass "Latest backup: $backup_name (${backup_age_days}d ago)"
+    elif [[ "$backup_age_days" -lt 30 ]]; then
+      warn "Latest backup: $backup_name (${backup_age_days}d ago — consider more frequent backups)"
+    else
+      fail "Latest backup: $backup_name (${backup_age_days}d ago — stale!)"
+    fi
+  else
+    warn "No backups found in $BACKUP_DIR"
+  fi
+else
+  warn "No backup directory at $BACKUP_DIR"
+fi
+
+# ── 7. OpenClaw gateway ─────────────────────────────────────────────────────
+echo ""
+echo "--- OpenClaw Gateway ---"
+
+GW_HOST="${OPENCLAW_GATEWAY_HOST:-127.0.0.1}"
+GW_PORT="${OPENCLAW_GATEWAY_PORT:-18789}"
+
+if nc -z "$GW_HOST" "$GW_PORT" 2>/dev/null || (echo > "/dev/tcp/$GW_HOST/$GW_PORT") 2>/dev/null; then
+  pass "Gateway reachable at $GW_HOST:$GW_PORT"
+else
+  info "Gateway not reachable at $GW_HOST:$GW_PORT"
+fi
+
+# ── Summary ──────────────────────────────────────────────────────────────────
+echo ""
+TOTAL=$((PASS + WARN + FAIL))
+echo "=== Results: $PASS passed, $WARN warnings, $FAIL failures (of $TOTAL checks) ==="
+
+if [[ $FAIL -gt 0 ]]; then
+  echo "Status: UNHEALTHY"
+  exit 1
+elif [[ $WARN -gt 0 ]]; then
+  echo "Status: DEGRADED"
+  exit 0
+else
+  echo "Status: HEALTHY"
+  exit 0
+fi

skills/mission-control-installer/README.md

@@ -0,0 +1,68 @@
+# Mission Control Installer Skill
+
+Install and configure Mission Control on any Linux or macOS system.
+
+## What This Skill Does
+
+1. Detects the target OS and available runtimes (Docker or Node.js 20+)
+2. Clones or updates the Mission Control repository
+3. Generates a secure `.env` with random credentials
+4. Starts the dashboard via Docker Compose or local Node.js
+5. Runs an OpenClaw fleet health check (cleans stale PIDs, old logs, validates gateway)
+6. Prints the access URL and admin credentials
+
+## Usage
+
+Run the installer script:
+
+```bash
+# Auto-detect deployment mode (prefers Docker)
+bash install.sh
+
+# Force Docker deployment
+bash install.sh --docker
+
+# Force local deployment (Node.js + pnpm)
+bash install.sh --local
+
+# Custom port
+bash install.sh --port 8080
+
+# Skip OpenClaw fleet check
+bash install.sh --skip-openclaw
+```
+
+Or as a one-liner:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/builderz-labs/mission-control/main/install.sh | bash
+```
+
+## Prerequisites
+
+- **Docker mode**: Docker Engine with Docker Compose v2
+- **Local mode**: Node.js 20+, pnpm (auto-installed via corepack if missing)
+- **Both**: git (to clone the repository)
+
+## Post-Install
+
+After installation:
+
+1. Open `http://localhost:3000` (or your configured port)
+2. Log in with the credentials printed by the installer (also in `.env`)
+3. Configure your OpenClaw gateway connection in Settings
+4. Register agents via the Agents panel
+
+## Environment Configuration
+
+The installer generates a `.env` from `.env.example` with secure random values for:
+
+- `AUTH_PASS` — 24-character random password
+- `API_KEY` — 32-character hex API key
+- `AUTH_SECRET` — 32-character session secret
+
+To regenerate credentials independently:
+
+```bash
+bash scripts/generate-env.sh --force
+```

skills/mission-control-installer/skill.json

@@ -0,0 +1,27 @@
+{
+  "name": "mission-control-installer",
+  "version": "1.0.0",
+  "description": "Install and configure Mission Control — the OpenClaw agent orchestration dashboard",
+  "author": "Builderz Labs",
+  "license": "MIT",
+  "tools": ["exec", "fs"],
+  "parameters": {
+    "deployment_mode": {
+      "type": "string",
+      "enum": ["docker", "local"],
+      "default": "docker",
+      "description": "How to deploy Mission Control"
+    },
+    "port": {
+      "type": "number",
+      "default": 3000,
+      "description": "Port for the Mission Control dashboard"
+    },
+    "install_dir": {
+      "type": "string",
+      "default": "",
+      "description": "Installation directory (defaults to ./mission-control)"
+    }
+  },
+  "tags": ["mission-control", "dashboard", "installer", "docker"]
+}

skills/mission-control-manage/README.md

@@ -0,0 +1,104 @@
+# Mission Control Management Skill
+
+Manage a running Mission Control instance programmatically.
+
+## API Endpoints
+
+All endpoints require authentication via `x-api-key` header or session cookie.
+
+### Health Check
+
+```bash
+# Quick health status
+curl -H "x-api-key: $API_KEY" http://localhost:3000/api/status?action=health
+
+# Response: { "status": "healthy", "version": "1.3.0", "checks": [...] }
+```
+
+Possible statuses: `healthy`, `degraded`, `unhealthy`
+
+### System Overview
+
+```bash
+# Full system status (memory, disk, sessions, processes)
+curl -H "x-api-key: $API_KEY" http://localhost:3000/api/status?action=overview
+```
+
+### Diagnostics (Admin Only)
+
+```bash
+# Comprehensive diagnostics including security posture
+curl -H "x-api-key: $API_KEY" http://localhost:3000/api/diagnostics
+
+# Response includes:
+# - system: node version, platform, memory, docker detection
+# - security: score (0-100) with individual checks
+# - database: size, WAL mode, migration version
+# - gateway: configured, reachable, host/port
+# - agents: total count, by status
+# - retention: configured retention policies
+```
+
+### Check for Updates
+
+```bash
+curl -H "x-api-key: $API_KEY" http://localhost:3000/api/releases/check
+
+# Response: { "updateAvailable": true, "currentVersion": "1.3.0", "latestVersion": "1.4.0", ... }
+```
+
+### Trigger Update
+
+```bash
+# Apply available update (bare-metal only; Docker returns instructions)
+curl -X POST -H "x-api-key: $API_KEY" http://localhost:3000/api/releases/update
+```
+
+### Database Backup
+
+```bash
+curl -X POST -H "x-api-key: $API_KEY" http://localhost:3000/api/backup
+```
+
+### Agent Management
+
+```bash
+# List agents
+curl -H "x-api-key: $API_KEY" http://localhost:3000/api/agents
+
+# Register an agent
+curl -X POST -H "x-api-key: $API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"name": "my-agent", "type": "openclaw"}' \
+  http://localhost:3000/api/agents
+```
+
+## Station Doctor
+
+For local diagnostics without API access:
+
+```bash
+bash scripts/station-doctor.sh
+```
+
+Checks: Docker health, port availability, disk space, DB integrity, backup age.
+
+## Common Workflows
+
+### Automated Health Monitoring
+
+```bash
+# Check health and alert if unhealthy
+STATUS=$(curl -sf -H "x-api-key: $API_KEY" http://localhost:3000/api/status?action=health | jq -r '.status')
+if [ "$STATUS" != "healthy" ]; then
+  echo "ALERT: Mission Control is $STATUS"
+fi
+```
+
+### Pre-Upgrade Checklist
+
+1. Check for updates: `GET /api/releases/check`
+2. Create backup: `POST /api/backup`
+3. Run diagnostics: `GET /api/diagnostics` (verify no active tasks)
+4. Apply update: `POST /api/releases/update` (or `docker pull` + recreate for Docker)
+5. Verify health: `GET /api/status?action=health`

skills/mission-control-manage/skill.json

@@ -0,0 +1,20 @@
+{
+  "name": "mission-control-manage",
+  "version": "1.0.0",
+  "description": "Manage a running Mission Control instance — health checks, diagnostics, upgrades, backups",
+  "author": "Builderz Labs",
+  "license": "MIT",
+  "tools": ["exec", "http"],
+  "parameters": {
+    "base_url": {
+      "type": "string",
+      "default": "http://localhost:3000",
+      "description": "Mission Control base URL"
+    },
+    "api_key": {
+      "type": "string",
+      "description": "API key for authentication (x-api-key header)"
+    }
+  },
+  "tags": ["mission-control", "management", "health", "upgrade", "backup"]
+}

src/app/[[...panel]]/page.tsx

@@ -1,18 +1,15 @@
 'use client'
 
-import { useEffect, useState } from 'react'
+import { createElement, useEffect, useState } from 'react'
 import { usePathname, useRouter } from 'next/navigation'
 import { NavRail } from '@/components/layout/nav-rail'
 import { HeaderBar } from '@/components/layout/header-bar'
 import { LiveFeed } from '@/components/layout/live-feed'
 import { Dashboard } from '@/components/dashboard/dashboard'
-import { AgentSpawnPanel } from '@/components/panels/agent-spawn-panel'
 import { LogViewerPanel } from '@/components/panels/log-viewer-panel'
 import { CronManagementPanel } from '@/components/panels/cron-management-panel'
 import { MemoryBrowserPanel } from '@/components/panels/memory-browser-panel'
-import { TokenDashboardPanel } from '@/components/panels/token-dashboard-panel'
-import { AgentCostPanel } from '@/components/panels/agent-cost-panel'
-import { SessionDetailsPanel } from '@/components/panels/session-details-panel'
+import { CostTrackerPanel } from '@/components/panels/cost-tracker-panel'
 import { TaskBoardPanel } from '@/components/panels/task-board-panel'
 import { ActivityFeedPanel } from '@/components/panels/activity-feed-panel'
 import { AgentSquadPanelPhase3 } from '@/components/panels/agent-squad-panel-phase3'
@@ -22,7 +19,6 @@ import { OrchestrationBar } from '@/components/panels/orchestration-bar'
 import { NotificationsPanel } from '@/components/panels/notifications-panel'
 import { UserManagementPanel } from '@/components/panels/user-management-panel'
 import { AuditTrailPanel } from '@/components/panels/audit-trail-panel'
-import { AgentHistoryPanel } from '@/components/panels/agent-history-panel'
 import { WebhookPanel } from '@/components/panels/webhook-panel'
 import { SettingsPanel } from '@/components/panels/settings-panel'
 import { GatewayConfigPanel } from '@/components/panels/gateway-config-panel'
@@ -32,36 +28,176 @@ import { MultiGatewayPanel } from '@/components/panels/multi-gateway-panel'
 import { SuperAdminPanel } from '@/components/panels/super-admin-panel'
 import { OfficePanel } from '@/components/panels/office-panel'
 import { GitHubSyncPanel } from '@/components/panels/github-sync-panel'
-import { DocumentsPanel } from '@/components/panels/documents-panel'
+import { SkillsPanel } from '@/components/panels/skills-panel'
+import { LocalAgentsDocPanel } from '@/components/panels/local-agents-doc-panel'
+import { ChannelsPanel } from '@/components/panels/channels-panel'
+import { DebugPanel } from '@/components/panels/debug-panel'
+import { SecurityAuditPanel } from '@/components/panels/security-audit-panel'
+import { NodesPanel } from '@/components/panels/nodes-panel'
+import { ExecApprovalPanel } from '@/components/panels/exec-approval-panel'
+import { ChatPagePanel } from '@/components/panels/chat-page-panel'
 import { ChatPanel } from '@/components/chat/chat-panel'
+import { getPluginPanel } from '@/lib/plugins'
 import { ErrorBoundary } from '@/components/ErrorBoundary'
 import { LocalModeBanner } from '@/components/layout/local-mode-banner'
 import { UpdateBanner } from '@/components/layout/update-banner'
-import { PromoBanner } from '@/components/layout/promo-banner'
+import { OpenClawUpdateBanner } from '@/components/layout/openclaw-update-banner'
+import { OpenClawDoctorBanner } from '@/components/layout/openclaw-doctor-banner'
+import { OnboardingWizard } from '@/components/onboarding/onboarding-wizard'
+import { Loader } from '@/components/ui/loader'
+import { ProjectManagerModal } from '@/components/modals/project-manager-modal'
+import { ExecApprovalOverlay } from '@/components/modals/exec-approval-overlay'
 import { useWebSocket } from '@/lib/websocket'
 import { useServerEvents } from '@/lib/use-server-events'
+import { completeNavigationTiming } from '@/lib/navigation-metrics'
+import { panelHref, useNavigateToPanel } from '@/lib/navigation'
+import { clearOnboardingDismissedThisSession, clearOnboardingReplayFromStart, getOnboardingSessionDecision, markOnboardingReplayFromStart, readOnboardingDismissedThisSession } from '@/lib/onboarding-session'
+import { Button } from '@/components/ui/button'
 import { useMissionControl } from '@/store'
 
+interface GatewaySummary {
+  id: number
+  is_primary: number
+}
+
+function renderPluginPanel(panelId: string) {
+  const pluginPanel = getPluginPanel(panelId)
+  return pluginPanel ? createElement(pluginPanel) : <Dashboard />
+}
+
+function isLocalHost(hostname: string): boolean {
+  return hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1'
+}
+
 export default function Home() {
   const router = useRouter()
   const { connect } = useWebSocket()
-  const { activeTab, setActiveTab, setCurrentUser, setDashboardMode, setGatewayAvailable, setSubscription, setUpdateAvailable, liveFeedOpen, toggleLiveFeed } = useMissionControl()
+  const { activeTab, setActiveTab, setCurrentUser, setDashboardMode, setGatewayAvailable, setCapabilitiesChecked, setSubscription, setDefaultOrgName, setUpdateAvailable, setOpenclawUpdate, showOnboarding, setShowOnboarding, liveFeedOpen, toggleLiveFeed, showProjectManagerModal, setShowProjectManagerModal, fetchProjects, setChatPanelOpen, bootComplete, setBootComplete, setAgents, setSessions, setProjects, setInterfaceMode, setMemoryGraphAgents, setSkillsData } = useMissionControl()
 
   // Sync URL → Zustand activeTab
   const pathname = usePathname()
   const panelFromUrl = pathname === '/' ? 'overview' : pathname.slice(1)
+  const normalizedPanel = panelFromUrl === 'sessions' ? 'chat' : panelFromUrl
 
   useEffect(() => {
-    setActiveTab(panelFromUrl)
-  }, [panelFromUrl, setActiveTab])
+    completeNavigationTiming(pathname)
+  }, [pathname])
+
+  useEffect(() => {
+    completeNavigationTiming(panelHref(activeTab))
+  }, [activeTab])
+
+  useEffect(() => {
+    setActiveTab(normalizedPanel)
+    if (normalizedPanel === 'chat') {
+      setChatPanelOpen(false)
+    }
+    if (panelFromUrl === 'sessions') {
+      router.replace('/chat')
+    }
+  }, [panelFromUrl, normalizedPanel, router, setActiveTab, setChatPanelOpen])
 
   // Connect to SSE for real-time local DB events (tasks, agents, chat, etc.)
   useServerEvents()
   const [isClient, setIsClient] = useState(false)
+  const [initSteps, setInitSteps] = useState<Array<{ key: string; label: string; status: 'pending' | 'done' }>>([
+    { key: 'auth',         label: 'Authenticating operator',    status: 'pending' },
+    { key: 'capabilities', label: 'Detecting station mode',     status: 'pending' },
+    { key: 'config',       label: 'Loading control config',     status: 'pending' },
+    { key: 'connect',      label: 'Connecting runtime links',   status: 'pending' },
+    { key: 'agents',       label: 'Syncing agent registry',     status: 'pending' },
+    { key: 'sessions',     label: 'Loading active sessions',    status: 'pending' },
+    { key: 'projects',     label: 'Hydrating workspace board',  status: 'pending' },
+    { key: 'memory',       label: 'Mapping memory graph',       status: 'pending' },
+    { key: 'skills',       label: 'Indexing skill catalog',     status: 'pending' },
+  ])
+
+  const markStep = (key: string) => {
+    setInitSteps(prev => prev.map(s => s.key === key ? { ...s, status: 'done' } : s))
+  }
+
+  useEffect(() => {
+    if (!bootComplete && initSteps.every(s => s.status === 'done')) {
+      const t = setTimeout(() => setBootComplete(), 400)
+      return () => clearTimeout(t)
+    }
+  }, [initSteps, bootComplete, setBootComplete])
+
+  // Security console warning (anti-self-XSS)
+  useEffect(() => {
+    if (!bootComplete) return
+    if (typeof window === 'undefined') return
+    const key = 'mc-console-warning'
+    if (sessionStorage.getItem(key)) return
+    sessionStorage.setItem(key, '1')
+
+    console.log(
+      '%c  Stop!  ',
+      'color: #fff; background: #e53e3e; font-size: 40px; font-weight: bold; padding: 4px 16px; border-radius: 4px;'
+    )
+    console.log(
+      '%cThis is a browser feature intended for developers.\n\nIf someone told you to copy-paste something here to enable a feature or "hack" an account, it is a scam and will give them access to your account.',
+      'font-size: 14px; color: #e2e8f0; padding: 8px 0;'
+    )
+    console.log(
+      '%cLearn more: https://en.wikipedia.org/wiki/Self-XSS',
+      'font-size: 12px; color: #718096;'
+    )
+  }, [bootComplete])
 
   useEffect(() => {
     setIsClient(true)
 
+    // OpenClaw control-ui device identity requires a secure browser context.
+    // Redirect remote HTTP sessions to HTTPS automatically to avoid handshake failures.
+    if (window.location.protocol === 'http:' && !isLocalHost(window.location.hostname)) {
+      const secureUrl = new URL(window.location.href)
+      secureUrl.protocol = 'https:'
+      window.location.replace(secureUrl.toString())
+      return
+    }
+
+    const connectWithEnvFallback = () => {
+      const explicitWsUrl = process.env.NEXT_PUBLIC_GATEWAY_URL || ''
+      const gatewayPort = process.env.NEXT_PUBLIC_GATEWAY_PORT || '18789'
+      const gatewayHost = process.env.NEXT_PUBLIC_GATEWAY_HOST || window.location.hostname
+      const gatewayProto =
+        process.env.NEXT_PUBLIC_GATEWAY_PROTOCOL ||
+        (window.location.protocol === 'https:' ? 'wss' : 'ws')
+      const wsUrl = explicitWsUrl || `${gatewayProto}://${gatewayHost}:${gatewayPort}`
+      connect(wsUrl)
+    }
+
+    const connectWithPrimaryGateway = async (): Promise<{ attempted: boolean; connected: boolean }> => {
+      try {
+        const gatewaysRes = await fetch('/api/gateways')
+        if (!gatewaysRes.ok) return { attempted: false, connected: false }
+        const gatewaysJson = await gatewaysRes.json().catch(() => ({}))
+        const gateways = Array.isArray(gatewaysJson?.gateways) ? gatewaysJson.gateways as GatewaySummary[] : []
+        if (gateways.length === 0) return { attempted: false, connected: false }
+
+        const primaryGateway = gateways.find(gw => Number(gw?.is_primary) === 1) || gateways[0]
+        if (!primaryGateway?.id) return { attempted: true, connected: false }
+
+        const connectRes = await fetch('/api/gateways/connect', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ id: primaryGateway.id }),
+        })
+        if (!connectRes.ok) return { attempted: true, connected: false }
+
+        const payload = await connectRes.json().catch(() => ({}))
+        const wsUrl = typeof payload?.ws_url === 'string' ? payload.ws_url : ''
+        const wsToken = typeof payload?.token === 'string' ? payload.token : ''
+        if (!wsUrl) return { attempted: true, connected: false }
+
+        connect(wsUrl, wsToken)
+        return { attempted: true, connected: true }
+      } catch {
+        return { attempted: false, connected: false }
+      }
+    }
+
     // Fetch current user
     fetch('/api/auth/me')
       .then(async (res) => {
@@ -71,8 +207,8 @@ export default function Home() {
         }
         return null
       })
-      .then(data => { if (data?.user) setCurrentUser(data.user) })
-      .catch(() => {})
+      .then(data => { if (data?.user) setCurrentUser(data.user); markStep('auth') })
+      .catch(() => { markStep('auth') })
 
     // Check for available updates
     fetch('/api/releases/check')
@@ -88,16 +224,41 @@ export default function Home() {
       })
       .catch(() => {})
 
+    // Check for OpenClaw updates
+    fetch('/api/openclaw/version')
+      .then(res => res.ok ? res.json() : null)
+      .then(data => {
+        if (data?.updateAvailable) {
+          setOpenclawUpdate({
+            installed: data.installed,
+            latest: data.latest,
+            releaseUrl: data.releaseUrl,
+            releaseNotes: data.releaseNotes,
+            updateCommand: data.updateCommand,
+          })
+        }
+      })
+      .catch(() => {})
+
     // Check capabilities, then conditionally connect to gateway
     fetch('/api/status?action=capabilities')
       .then(res => res.ok ? res.json() : null)
-      .then(data => {
+      .then(async data => {
         if (data?.subscription) {
           setSubscription(data.subscription)
         }
+        if (data?.processUser) {
+          setDefaultOrgName(data.processUser)
+        }
+        if (data?.interfaceMode === 'essential' || data?.interfaceMode === 'full') {
+          setInterfaceMode(data.interfaceMode)
+        }
         if (data && data.gateway === false) {
           setDashboardMode('local')
           setGatewayAvailable(false)
+          setCapabilitiesChecked(true)
+          markStep('capabilities')
+          markStep('connect')
           // Skip WebSocket connect — no gateway to talk to
           return
         }
@@ -105,45 +266,86 @@ export default function Home() {
           setDashboardMode('full')
           setGatewayAvailable(true)
         }
-        // Connect to gateway WebSocket
-        const wsToken = process.env.NEXT_PUBLIC_GATEWAY_TOKEN || process.env.NEXT_PUBLIC_WS_TOKEN || ''
-        const explicitWsUrl = process.env.NEXT_PUBLIC_GATEWAY_URL || ''
-        const gatewayPort = process.env.NEXT_PUBLIC_GATEWAY_PORT || '18789'
-        const gatewayHost = process.env.NEXT_PUBLIC_GATEWAY_HOST || window.location.hostname
-        const gatewayProto =
-          process.env.NEXT_PUBLIC_GATEWAY_PROTOCOL ||
-          (window.location.protocol === 'https:' ? 'wss' : 'ws')
-        const wsUrl = explicitWsUrl || `${gatewayProto}://${gatewayHost}:${gatewayPort}`
-        connect(wsUrl, wsToken)
+        setCapabilitiesChecked(true)
+        markStep('capabilities')
+
+        const primaryConnect = await connectWithPrimaryGateway()
+        if (!primaryConnect.connected && !primaryConnect.attempted) {
+          connectWithEnvFallback()
+        }
+        markStep('connect')
       })
       .catch(() => {
         // If capabilities check fails, still try to connect
-        const wsToken = process.env.NEXT_PUBLIC_GATEWAY_TOKEN || process.env.NEXT_PUBLIC_WS_TOKEN || ''
-        const explicitWsUrl = process.env.NEXT_PUBLIC_GATEWAY_URL || ''
-        const gatewayPort = process.env.NEXT_PUBLIC_GATEWAY_PORT || '18789'
-        const gatewayHost = process.env.NEXT_PUBLIC_GATEWAY_HOST || window.location.hostname
-        const gatewayProto =
-          process.env.NEXT_PUBLIC_GATEWAY_PROTOCOL ||
-          (window.location.protocol === 'https:' ? 'wss' : 'ws')
-        const wsUrl = explicitWsUrl || `${gatewayProto}://${gatewayHost}:${gatewayPort}`
-        connect(wsUrl, wsToken)
+        setCapabilitiesChecked(true)
+        markStep('capabilities')
+        markStep('connect')
+        connectWithEnvFallback()
       })
-  }, [connect, pathname, router, setCurrentUser, setDashboardMode, setGatewayAvailable, setSubscription, setUpdateAvailable])
 
-  if (!isClient) {
-    return (
-      <div className="flex items-center justify-center min-h-screen">
-        <div className="flex flex-col items-center gap-3">
-          <div className="w-10 h-10 rounded-xl bg-primary flex items-center justify-center">
-            <span className="text-primary-foreground font-bold text-sm">MC</span>
-          </div>
-          <div className="flex items-center gap-2">
-            <div className="w-1.5 h-1.5 rounded-full bg-primary animate-pulse" />
-            <span className="text-sm text-muted-foreground">Loading Mission Control...</span>
-          </div>
-        </div>
-      </div>
-    )
+    // Check onboarding state
+    fetch('/api/onboarding')
+      .then(res => res.ok ? res.json() : null)
+      .then(data => {
+        const decision = getOnboardingSessionDecision({
+          isAdmin: data?.isAdmin === true,
+          serverShowOnboarding: data?.showOnboarding === true,
+          completed: data?.completed === true,
+          skipped: data?.skipped === true,
+          dismissedThisSession: readOnboardingDismissedThisSession(),
+        })
+
+        if (decision.shouldOpen) {
+          clearOnboardingDismissedThisSession()
+          if (decision.replayFromStart) {
+            markOnboardingReplayFromStart()
+          } else {
+            clearOnboardingReplayFromStart()
+          }
+          setShowOnboarding(true)
+        }
+        markStep('config')
+      })
+      .catch(() => { markStep('config') })
+    // Preload workspace data in parallel
+    Promise.allSettled([
+      fetch('/api/agents')
+        .then(r => r.ok ? r.json() : null)
+        .then((agentsData) => {
+          if (agentsData?.agents) setAgents(agentsData.agents)
+        })
+        .finally(() => { markStep('agents') }),
+      fetch('/api/sessions')
+        .then(r => r.ok ? r.json() : null)
+        .then((sessionsData) => {
+          if (sessionsData?.sessions) setSessions(sessionsData.sessions)
+        })
+        .finally(() => { markStep('sessions') }),
+      fetch('/api/projects')
+        .then(r => r.ok ? r.json() : null)
+        .then((projectsData) => {
+          if (projectsData?.projects) setProjects(projectsData.projects)
+        })
+        .finally(() => { markStep('projects') }),
+      fetch('/api/memory/graph?agent=all')
+        .then(r => r.ok ? r.json() : null)
+        .then((graphData) => {
+          if (graphData?.agents) setMemoryGraphAgents(graphData.agents)
+        })
+        .finally(() => { markStep('memory') }),
+      fetch('/api/skills')
+        .then(r => r.ok ? r.json() : null)
+        .then((skillsData) => {
+          if (skillsData?.skills) setSkillsData(skillsData.skills, skillsData.groups || [], skillsData.total || 0)
+        })
+        .finally(() => { markStep('skills') }),
+    ]).catch(() => { /* panels will lazy-load as fallback */ })
+
+  // eslint-disable-next-line react-hooks/exhaustive-deps -- boot once on mount, not on every pathname change
+  }, [connect, router, setCurrentUser, setDashboardMode, setGatewayAvailable, setCapabilitiesChecked, setSubscription, setUpdateAvailable, setShowOnboarding, setAgents, setSessions, setProjects, setInterfaceMode, setMemoryGraphAgents, setSkillsData])
+
+  if (!isClient || !bootComplete) {
+    return <Loader variant="page" steps={isClient ? initSteps : undefined} />
   }
 
   return (
@@ -151,33 +353,49 @@ export default function Home() {
       <a href="#main-content" className="sr-only focus:not-sr-only focus:absolute focus:z-50 focus:top-2 focus:left-2 focus:px-4 focus:py-2 focus:bg-primary focus:text-primary-foreground focus:rounded-md focus:text-sm focus:font-medium">
         Skip to main content
       </a>
+
       {/* Left: Icon rail navigation (hidden on mobile, shown as bottom bar instead) */}
-      <NavRail />
+      {!showOnboarding && <NavRail />}
 
       {/* Center: Header + Content */}
       <div className="flex-1 flex flex-col min-w-0">
-        <HeaderBar />
-        <LocalModeBanner />
-        <UpdateBanner />
-        <PromoBanner />
-        <main id="main-content" className="flex-1 overflow-auto pb-16 md:pb-0" role="main">
-          <div aria-live="polite">
+        {!showOnboarding && (
+          <>
+            <HeaderBar />
+            <LocalModeBanner />
+            <UpdateBanner />
+            <OpenClawUpdateBanner />
+            <OpenClawDoctorBanner />
+          </>
+        )}
+        <main
+          id="main-content"
+          className={`flex-1 overflow-auto pb-16 md:pb-0 ${showOnboarding ? 'pointer-events-none select-none blur-[2px] opacity-30' : ''}`}
+          role="main"
+          aria-hidden={showOnboarding}
+        >
+          <div aria-live="polite" className="flex flex-col min-h-full">
             <ErrorBoundary key={activeTab}>
               <ContentRouter tab={activeTab} />
             </ErrorBoundary>
           </div>
+          <footer className="px-4 pb-4 pt-2">
+            <p className="text-2xs text-muted-foreground/50 text-center">
+              Built with care by <a href="https://x.com/nyk_builderz" target="_blank" rel="noopener noreferrer" className="text-muted-foreground/70 hover:text-primary transition-colors duration-200">nyk</a>.
+            </p>
+          </footer>
         </main>
       </div>
 
       {/* Right: Live feed (hidden on mobile) */}
-      {liveFeedOpen && (
+      {!showOnboarding && liveFeedOpen && (
         <div className="hidden lg:flex h-full">
           <LiveFeed />
         </div>
       )}
 
       {/* Floating button to reopen LiveFeed when closed */}
-      {!liveFeedOpen && (
+      {!showOnboarding && !liveFeedOpen && (
         <button
           onClick={toggleLiveFeed}
           className="hidden lg:flex fixed right-0 top-1/2 -translate-y-1/2 z-30 w-6 h-12 items-center justify-center bg-card border border-r-0 border-border rounded-l-md text-muted-foreground hover:text-foreground hover:bg-secondary transition-all duration-200"
@@ -190,22 +408,70 @@ export default function Home() {
       )}
 
       {/* Chat panel overlay */}
-      <ChatPanel />
+      {!showOnboarding && <ChatPanel />}
+
+      {/* Global exec approval overlay (shown regardless of active panel) */}
+      {!showOnboarding && <ExecApprovalOverlay />}
+
+      {/* Global Project Manager Modal */}
+      {!showOnboarding && showProjectManagerModal && (
+        <ProjectManagerModal
+          onClose={() => setShowProjectManagerModal(false)}
+          onChanged={async () => { await fetchProjects() }}
+        />
+      )}
+
+      <OnboardingWizard />
     </div>
   )
 }
 
+const ESSENTIAL_PANELS = new Set([
+  'overview', 'agents', 'tasks', 'chat', 'activity', 'logs', 'settings',
+])
+
 function ContentRouter({ tab }: { tab: string }) {
-  const { dashboardMode } = useMissionControl()
+  const { dashboardMode, interfaceMode, setInterfaceMode } = useMissionControl()
+  const navigateToPanel = useNavigateToPanel()
   const isLocal = dashboardMode === 'local'
 
+  // Guard: show nudge for non-essential panels in essential mode
+  if (interfaceMode === 'essential' && !ESSENTIAL_PANELS.has(tab)) {
+    return (
+      <div className="flex flex-col items-center justify-center py-24 text-center gap-4">
+        <p className="text-sm text-muted-foreground">
+          <span className="font-medium text-foreground capitalize">{tab.replace(/-/g, ' ')}</span> is available in Full mode.
+        </p>
+        <div className="flex items-center gap-2">
+          <Button
+            variant="outline"
+            size="sm"
+            onClick={async () => {
+              setInterfaceMode('full')
+              try { await fetch('/api/settings', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ settings: { 'general.interface_mode': 'full' } }) }) } catch {}
+            }}
+          >
+            Switch to Full
+          </Button>
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={() => navigateToPanel('overview')}
+          >
+            Go to Overview
+          </Button>
+        </div>
+      </div>
+    )
+  }
+
   switch (tab) {
     case 'overview':
       return (
         <>
           <Dashboard />
           {!isLocal && (
-            <div className="mt-4 mx-4 mb-4 rounded-xl border border-border bg-card overflow-hidden">
+            <div className="mt-4 mx-4 mb-4 rounded-lg border border-border bg-card overflow-hidden">
               <AgentCommsPanel />
             </div>
           )}
@@ -217,38 +483,31 @@ function ContentRouter({ tab }: { tab: string }) {
       return (
         <>
           <OrchestrationBar />
+          {isLocal && <LocalAgentsDocPanel />}
           <AgentSquadPanelPhase3 />
-          {!isLocal && (
-            <div className="mt-4 mx-4 mb-4 rounded-xl border border-border bg-card overflow-hidden">
-              <AgentCommsPanel />
-            </div>
-          )}
         </>
       )
-    case 'activity':
-      return <ActivityFeedPanel />
     case 'notifications':
       return <NotificationsPanel />
     case 'standup':
       return <StandupPanel />
-    case 'spawn':
-      return <AgentSpawnPanel />
     case 'sessions':
-      return <SessionDetailsPanel />
+      return <ChatPagePanel />
     case 'logs':
       return <LogViewerPanel />
     case 'cron':
       return <CronManagementPanel />
     case 'memory':
       return <MemoryBrowserPanel />
+    case 'cost-tracker':
     case 'tokens':
-      return <TokenDashboardPanel />
     case 'agent-costs':
-      return <AgentCostPanel />
+      return <CostTrackerPanel />
     case 'users':
       return <UserManagementPanel />
     case 'history':
-      return <AgentHistoryPanel />
+    case 'activity':
+      return <ActivityFeedPanel />
     case 'audit':
       return <AuditTrailPanel />
     case 'webhooks':
@@ -256,24 +515,53 @@ function ContentRouter({ tab }: { tab: string }) {
     case 'alerts':
       return <AlertRulesPanel />
     case 'gateways':
+      if (isLocal) return <LocalModeUnavailable panel={tab} />
       return <MultiGatewayPanel />
     case 'gateway-config':
+      if (isLocal) return <LocalModeUnavailable panel={tab} />
       return <GatewayConfigPanel />
     case 'integrations':
       return <IntegrationsPanel />
     case 'settings':
       return <SettingsPanel />
+    case 'super-admin':
+      return <SuperAdminPanel />
     case 'github':
       return <GitHubSyncPanel />
     case 'office':
       return <OfficePanel />
-    case 'documents':
-      return <DocumentsPanel />
-    case 'super-admin':
-      return <SuperAdminPanel />
-    case 'workspaces':
-      return <SuperAdminPanel />
-    default:
-      return <Dashboard />
+    case 'skills':
+      return <SkillsPanel />
+    case 'channels':
+      if (isLocal) return <LocalModeUnavailable panel={tab} />
+      return <ChannelsPanel />
+    case 'nodes':
+      if (isLocal) return <LocalModeUnavailable panel={tab} />
+      return <NodesPanel />
+    case 'security':
+      return <SecurityAuditPanel />
+    case 'debug':
+      return <DebugPanel />
+    case 'exec-approvals':
+      if (isLocal) return <LocalModeUnavailable panel={tab} />
+      return <ExecApprovalPanel />
+    case 'chat':
+      return <ChatPagePanel />
+    default: {
+      return renderPluginPanel(tab)
+    }
   }
 }
+
+function LocalModeUnavailable({ panel }: { panel: string }) {
+  return (
+    <div className="flex flex-col items-center justify-center py-24 text-center">
+      <p className="text-sm text-muted-foreground">
+        <span className="font-medium text-foreground">{panel}</span> requires an OpenClaw gateway connection.
+      </p>
+      <p className="text-xs text-muted-foreground mt-1">
+        Configure a gateway to enable this panel.
+      </p>
+    </div>
+  )
+}

src/app/api/activities/route.ts

@@ -49,8 +49,14 @@ async function handleActivitiesRequest(request: NextRequest, workspaceId: number
     const params: any[] = [workspaceId];
     
     if (type) {
-      query += ' AND type = ?';
-      params.push(type);
+      const types = type.split(',').map(t => t.trim()).filter(Boolean);
+      if (types.length === 1) {
+        query += ' AND type = ?';
+        params.push(types[0]);
+      } else if (types.length > 1) {
+        query += ` AND type IN (${types.map(() => '?').join(',')})`;
+        params.push(...types);
+      }
     }
     
     if (actor) {
@@ -132,8 +138,14 @@ async function handleActivitiesRequest(request: NextRequest, workspaceId: number
     const countParams: any[] = [workspaceId];
     
     if (type) {
-      countQuery += ' AND type = ?';
-      countParams.push(type);
+      const types = type.split(',').map(t => t.trim()).filter(Boolean);
+      if (types.length === 1) {
+        countQuery += ' AND type = ?';
+        countParams.push(types[0]);
+      } else if (types.length > 1) {
+        countQuery += ` AND type IN (${types.map(() => '?').join(',')})`;
+        countParams.push(...types);
+      }
     }
     
     if (actor) {

src/app/api/adapters/route.ts

@@ -0,0 +1,118 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { requireRole } from '@/lib/auth'
+import { getAdapter, listAdapters } from '@/lib/adapters'
+import { agentHeartbeatLimiter } from '@/lib/rate-limit'
+import { logger } from '@/lib/logger'
+
+/**
+ * GET /api/adapters — List available framework adapters.
+ */
+export async function GET(request: NextRequest) {
+  const auth = requireRole(request, 'viewer')
+  if ('error' in auth) return NextResponse.json({ error: auth.error }, { status: auth.status })
+
+  return NextResponse.json({ adapters: listAdapters() })
+}
+
+/**
+ * POST /api/adapters — Framework-agnostic agent action dispatcher.
+ *
+ * Body: { framework, action, payload }
+ *
+ * Actions:
+ *   register   — Register an agent via its framework adapter
+ *   heartbeat  — Send a heartbeat/status update
+ *   report     — Report task progress
+ *   assignments — Get pending task assignments
+ *   disconnect — Disconnect an agent
+ */
+export async function POST(request: NextRequest) {
+  const auth = requireRole(request, 'operator')
+  if ('error' in auth) return NextResponse.json({ error: auth.error }, { status: auth.status })
+
+  const rateLimited = agentHeartbeatLimiter(request)
+  if (rateLimited) return rateLimited
+
+  let body: any
+  try {
+    body = await request.json()
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 })
+  }
+
+  const framework = typeof body?.framework === 'string' ? body.framework.trim() : ''
+  const action = typeof body?.action === 'string' ? body.action.trim() : ''
+  const payload = body?.payload ?? {}
+
+  if (!framework || !action) {
+    return NextResponse.json({ error: 'framework and action are required' }, { status: 400 })
+  }
+
+  let adapter
+  try {
+    adapter = getAdapter(framework)
+  } catch {
+    return NextResponse.json({
+      error: `Unknown framework: ${framework}. Available: ${listAdapters().join(', ')}`,
+    }, { status: 400 })
+  }
+
+  try {
+    switch (action) {
+      case 'register': {
+        const { agentId, name, metadata } = payload
+        if (!agentId || !name) {
+          return NextResponse.json({ error: 'payload.agentId and payload.name required' }, { status: 400 })
+        }
+        await adapter.register({ agentId, name, framework, metadata })
+        return NextResponse.json({ ok: true, action: 'register', framework })
+      }
+
+      case 'heartbeat': {
+        const { agentId, status, metrics } = payload
+        if (!agentId) {
+          return NextResponse.json({ error: 'payload.agentId required' }, { status: 400 })
+        }
+        await adapter.heartbeat({ agentId, status: status || 'online', metrics })
+        return NextResponse.json({ ok: true, action: 'heartbeat', framework })
+      }
+
+      case 'report': {
+        const { taskId, agentId, progress, status: taskStatus, output } = payload
+        if (!taskId || !agentId) {
+          return NextResponse.json({ error: 'payload.taskId and payload.agentId required' }, { status: 400 })
+        }
+        await adapter.reportTask({ taskId, agentId, progress: progress ?? 0, status: taskStatus || 'in_progress', output })
+        return NextResponse.json({ ok: true, action: 'report', framework })
+      }
+
+      case 'assignments': {
+        const { agentId } = payload
+        if (!agentId) {
+          return NextResponse.json({ error: 'payload.agentId required' }, { status: 400 })
+        }
+        const assignments = await adapter.getAssignments(agentId)
+        return NextResponse.json({ assignments, framework })
+      }
+
+      case 'disconnect': {
+        const { agentId } = payload
+        if (!agentId) {
+          return NextResponse.json({ error: 'payload.agentId required' }, { status: 400 })
+        }
+        await adapter.disconnect(agentId)
+        return NextResponse.json({ ok: true, action: 'disconnect', framework })
+      }
+
+      default:
+        return NextResponse.json({
+          error: `Unknown action: ${action}. Use: register, heartbeat, report, assignments, disconnect`,
+        }, { status: 400 })
+    }
+  } catch (error) {
+    logger.error({ err: error, framework, action }, 'POST /api/adapters error')
+    return NextResponse.json({ error: 'Adapter action failed' }, { status: 500 })
+  }
+}
+
+export const dynamic = 'force-dynamic'

src/app/api/agents/[id]/files/route.ts

@@ -0,0 +1,153 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { getDatabase, db_helpers } from '@/lib/db'
+import { requireRole } from '@/lib/auth'
+import { config } from '@/lib/config'
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
+import { dirname, isAbsolute, resolve } from 'node:path'
+import { resolveWithin } from '@/lib/paths'
+import { getAgentWorkspaceCandidates, readAgentWorkspaceFile } from '@/lib/agent-workspace'
+import { logger } from '@/lib/logger'
+
+const ALLOWED_FILES = new Set([
+  'agent.md',
+  'identity.md',
+  'soul.md',
+  'WORKING.md',
+  'MEMORY.md',
+  'TOOLS.md',
+  'AGENTS.md',
+  'MISSION.md',
+  'USER.md',
+])
+const FILE_ALIASES: Record<string, string[]> = {
+  'agent.md': ['agent.md', 'AGENT.md', 'MISSION.md', 'USER.md'],
+  'identity.md': ['identity.md', 'IDENTITY.md'],
+  'soul.md': ['soul.md', 'SOUL.md'],
+  'WORKING.md': ['WORKING.md', 'working.md'],
+  'MEMORY.md': ['MEMORY.md', 'memory.md'],
+  'TOOLS.md': ['TOOLS.md', 'tools.md'],
+  'AGENTS.md': ['AGENTS.md', 'agents.md'],
+  'MISSION.md': ['MISSION.md', 'mission.md'],
+  'USER.md': ['USER.md', 'user.md'],
+}
+
+function resolveAgentWorkspacePath(workspace: string): string {
+  if (isAbsolute(workspace)) return resolve(workspace)
+  if (!config.openclawStateDir) throw new Error('OPENCLAW_STATE_DIR not configured')
+  return resolveWithin(config.openclawStateDir, workspace)
+}
+
+function getAgentByIdOrName(db: ReturnType<typeof getDatabase>, id: string, workspaceId: number): any | undefined {
+  if (isNaN(Number(id))) {
+    return db.prepare('SELECT * FROM agents WHERE name = ? AND workspace_id = ?').get(id, workspaceId)
+  }
+  return db.prepare('SELECT * FROM agents WHERE id = ? AND workspace_id = ?').get(Number(id), workspaceId)
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = requireRole(request, 'viewer')
+  if ('error' in auth) return NextResponse.json({ error: auth.error }, { status: auth.status })
+
+  try {
+    const { id } = await params
+    const db = getDatabase()
+    const workspaceId = auth.user.workspace_id ?? 1
+    const agent = getAgentByIdOrName(db, id, workspaceId)
+    if (!agent) return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
+
+    const agentConfig = agent.config ? JSON.parse(agent.config) : {}
+    const candidates = getAgentWorkspaceCandidates(agentConfig, agent.name)
+    if (candidates.length === 0) {
+      return NextResponse.json({ error: 'Agent workspace is not configured' }, { status: 400 })
+    }
+    const safeWorkspace = candidates[0]
+    const requested = (new URL(request.url).searchParams.get('file') || '').trim()
+    const files = requested
+      ? [requested]
+      : ['agent.md', 'identity.md', 'soul.md', 'WORKING.md', 'MEMORY.md', 'TOOLS.md', 'AGENTS.md', 'MISSION.md', 'USER.md']
+
+    const payload: Record<string, { exists: boolean; content: string }> = {}
+    for (const file of files) {
+      if (!ALLOWED_FILES.has(file)) {
+        return NextResponse.json({ error: `Unsupported file: ${file}` }, { status: 400 })
+      }
+      const aliases = FILE_ALIASES[file] || [file]
+      const match = readAgentWorkspaceFile(candidates, aliases)
+      payload[file] = { exists: match.exists, content: match.content }
+    }
+
+    return NextResponse.json({
+      agent: { id: agent.id, name: agent.name },
+      workspace: safeWorkspace,
+      files: payload,
+    })
+  } catch (error) {
+    logger.error({ err: error }, 'GET /api/agents/[id]/files error')
+    return NextResponse.json({ error: 'Failed to load workspace files' }, { status: 500 })
+  }
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = requireRole(request, 'operator')
+  if ('error' in auth) return NextResponse.json({ error: auth.error }, { status: auth.status })
+
+  try {
+    const { id } = await params
+    const body = await request.json()
+    const file = String(body?.file || '').trim()
+    const content = String(body?.content || '')
+    const MAX_WORKSPACE_FILE_SIZE = 1024 * 1024 // 1 MB
+    if (content.length > MAX_WORKSPACE_FILE_SIZE) {
+      return NextResponse.json({ error: `File content too large (max ${MAX_WORKSPACE_FILE_SIZE} bytes)` }, { status: 413 })
+    }
+    if (!ALLOWED_FILES.has(file)) {
+      return NextResponse.json({ error: `Unsupported file: ${file}` }, { status: 400 })
+    }
+
+    const db = getDatabase()
+    const workspaceId = auth.user.workspace_id ?? 1
+    const agent = getAgentByIdOrName(db, id, workspaceId)
+    if (!agent) return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
+
+    const agentConfig = agent.config ? JSON.parse(agent.config) : {}
+    const candidates = getAgentWorkspaceCandidates(agentConfig, agent.name)
+    const safeWorkspace = candidates[0]
+    if (!safeWorkspace) {
+      return NextResponse.json({ error: 'Agent workspace is not configured' }, { status: 400 })
+    }
+
+    const safePath = resolveWithin(safeWorkspace, file)
+    mkdirSync(dirname(safePath), { recursive: true })
+    writeFileSync(safePath, content, 'utf-8')
+
+    if (file === 'soul.md') {
+      db.prepare('UPDATE agents SET soul_content = ?, updated_at = unixepoch() WHERE id = ? AND workspace_id = ?')
+        .run(content, agent.id, workspaceId)
+    }
+    if (file === 'WORKING.md') {
+      db.prepare('UPDATE agents SET working_memory = ?, updated_at = unixepoch() WHERE id = ? AND workspace_id = ?')
+        .run(content, agent.id, workspaceId)
+    }
+
+    db_helpers.logActivity(
+      'agent_workspace_file_updated',
+      'agent',
+      agent.id,
+      auth.user.username,
+      `${file} updated for ${agent.name}`,
+      { file, size: content.length },
+      workspaceId
+    )
+
+    return NextResponse.json({ success: true, file, size: content.length })
+  } catch (error) {
+    logger.error({ err: error }, 'PUT /api/agents/[id]/files error')
+    return NextResponse.json({ error: 'Failed to save workspace file' }, { status: 500 })
+  }
+}

src/app/api/agents/[id]/heartbeat/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { getDatabase, db_helpers } from '@/lib/db';
 import { requireRole } from '@/lib/auth';
+import { agentHeartbeatLimiter } from '@/lib/rate-limit';
 import { logger } from '@/lib/logger';
 
 /**
@@ -189,6 +190,9 @@ export async function POST(
   const auth = requireRole(request, 'operator');
   if ('error' in auth) return NextResponse.json({ error: auth.error }, { status: auth.status });
 
+  const rateLimited = agentHeartbeatLimiter(request);
+  if (rateLimited) return rateLimited;
+
   let body: any = {};
   try {
     body = await request.json();

src/app/api/agents/[id]/memory/route.ts

@@ -2,6 +2,17 @@ import { NextRequest, NextResponse } from 'next/server';
 import { getDatabase, db_helpers } from '@/lib/db';
 import { requireRole } from '@/lib/auth';
 import { logger } from '@/lib/logger';
+import { config } from '@/lib/config';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { dirname, isAbsolute, resolve } from 'node:path';
+import { resolveWithin } from '@/lib/paths';
+import { getAgentWorkspaceCandidates, readAgentWorkspaceFile } from '@/lib/agent-workspace';
+
+function resolveAgentWorkspacePath(workspace: string): string {
+  if (isAbsolute(workspace)) return resolve(workspace)
+  if (!config.openclawStateDir) throw new Error('OPENCLAW_STATE_DIR not configured')
+  return resolveWithin(config.openclawStateDir, workspace)
+}
 
 /**
  * GET /api/agents/[id]/memory - Get agent's working memory
@@ -43,11 +54,28 @@ export async function GET(
       db.exec("ALTER TABLE agents ADD COLUMN working_memory TEXT DEFAULT ''");
     }
     
+    // Prefer workspace WORKING.md, fall back to DB working_memory
+    let workingMemory = '';
+    let source: 'workspace' | 'database' | 'none' = 'none';
+    try {
+      const agentConfig = agent.config ? JSON.parse(agent.config) : {};
+      const candidates = getAgentWorkspaceCandidates(agentConfig, agent.name);
+      const match = readAgentWorkspaceFile(candidates, ['WORKING.md', 'working.md', 'MEMORY.md', 'memory.md']);
+      if (match.exists) {
+        workingMemory = match.content;
+        source = 'workspace';
+      }
+    } catch (err) {
+      logger.warn({ err, agent: agent.name }, 'Failed to read WORKING.md from workspace');
+    }
+
     // Get working memory content
     const memoryStmt = db.prepare(`SELECT working_memory FROM agents WHERE ${isNaN(Number(agentId)) ? 'name' : 'id'} = ? AND workspace_id = ?`);
     const result = memoryStmt.get(agentId, workspaceId) as any;
-    
-    const workingMemory = result?.working_memory || '';
+    if (!workingMemory) {
+      workingMemory = result?.working_memory || '';
+      source = workingMemory ? 'database' : 'none';
+    }
     
     return NextResponse.json({
       agent: {
@@ -56,6 +84,7 @@ export async function GET(
         role: agent.role
       },
       working_memory: workingMemory,
+      source,
       updated_at: agent.updated_at,
       size: workingMemory.length
     });
@@ -118,6 +147,22 @@ export async function PUT(
     }
     
     const now = Math.floor(Date.now() / 1000);
+
+    // Best effort: sync workspace WORKING.md if agent workspace is configured
+    let savedToWorkspace = false;
+    try {
+      const agentConfig = agent.config ? JSON.parse(agent.config) : {};
+      const candidates = getAgentWorkspaceCandidates(agentConfig, agent.name);
+      const safeWorkspace = candidates[0];
+      if (safeWorkspace) {
+        const safeWorkingPath = resolveWithin(safeWorkspace, 'WORKING.md');
+        mkdirSync(dirname(safeWorkingPath), { recursive: true });
+        writeFileSync(safeWorkingPath, newContent, 'utf-8');
+        savedToWorkspace = true;
+      }
+    } catch (err) {
+      logger.warn({ err, agent: agent.name }, 'Failed to write WORKING.md to workspace');
+    }
     
     // Update working memory
     const updateStmt = db.prepare(`
@@ -135,10 +180,11 @@ export async function PUT(
       agent.id,
       agent.name,
       `Working memory ${append ? 'appended' : 'updated'} for agent ${agent.name}`,
-      { 
+      {
         content_length: newContent.length,
         append_mode: append || false,
-        timestamp: now
+        timestamp: now,
+        saved_to_workspace: savedToWorkspace
       },
       workspaceId
     );
@@ -147,6 +193,7 @@ export async function PUT(
       success: true,
       message: `Working memory ${append ? 'appended' : 'updated'} for ${agent.name}`,
       working_memory: newContent,
+      saved_to_workspace: savedToWorkspace,
       updated_at: now,
       size: newContent.length
     });
@@ -185,6 +232,20 @@ export async function DELETE(
     }
     
     const now = Math.floor(Date.now() / 1000);
+
+    // Best effort: clear workspace WORKING.md if agent workspace is configured
+    try {
+      const agentConfig = agent.config ? JSON.parse(agent.config) : {};
+      const candidates = getAgentWorkspaceCandidates(agentConfig, agent.name);
+      const safeWorkspace = candidates[0];
+      if (safeWorkspace) {
+        const safeWorkingPath = resolveWithin(safeWorkspace, 'WORKING.md');
+        mkdirSync(dirname(safeWorkingPath), { recursive: true });
+        writeFileSync(safeWorkingPath, '', 'utf-8');
+      }
+    } catch (err) {
+      logger.warn({ err, agent: agent.name }, 'Failed to clear WORKING.md in workspace');
+    }
     
     // Clear working memory
     const updateStmt = db.prepare(`

src/app/api/agents/[id]/route.ts

@@ -1,9 +1,10 @@
 import { NextRequest, NextResponse } from 'next/server'
 import { getDatabase, db_helpers, logAuditEvent } from '@/lib/db'
 import { requireRole } from '@/lib/auth'
-import { writeAgentToConfig, enrichAgentConfigFromWorkspace } from '@/lib/agent-sync'
+import { writeAgentToConfig, enrichAgentConfigFromWorkspace, removeAgentFromConfig } from '@/lib/agent-sync'
 import { eventBus } from '@/lib/event-bus'
 import { logger } from '@/lib/logger'
+import { runOpenClaw } from '@/lib/command'
 
 /**
  * GET /api/agents/[id] - Get a single agent by ID or name
@@ -102,20 +103,9 @@ export async function PUT(
       return writeBack
     }
 
-    // Unified save: gateway first, then DB. If DB fails after gateway write, attempt rollback.
-    if (shouldWriteToGateway) {
-      try {
-        await writeAgentToConfig(getWriteBackPayload(gateway_config))
-      } catch (err: any) {
-        return NextResponse.json(
-          { error: `Save failed: unable to update gateway config: ${err.message}` },
-          { status: 502 }
-        )
-      }
-    }
-
+    // Unified save: DB first (transactional, easy to revert), then gateway file.
+    // If gateway write fails after DB succeeds, revert DB to keep consistency.
     try {
-      // Build update
       const fields: string[] = ['updated_at = ?']
       const values: any[] = [now]
 
@@ -132,19 +122,31 @@ export async function PUT(
       values.push(agent.id, workspaceId)
       db.prepare(`UPDATE agents SET ${fields.join(', ')} WHERE id = ? AND workspace_id = ?`).run(...values)
     } catch (err: any) {
-      if (shouldWriteToGateway) {
+      return NextResponse.json({ error: `Save failed: ${err.message}` }, { status: 500 })
+    }
+
+    if (shouldWriteToGateway) {
+      try {
+        await writeAgentToConfig(getWriteBackPayload(gateway_config))
+      } catch (err: any) {
+        // Gateway write failed — revert DB to previous state
         try {
-          // Best-effort rollback to preserve consistency if DB update fails after gateway write.
-          await writeAgentToConfig(getWriteBackPayload(existingConfig))
-        } catch (rollbackErr: any) {
-          logger.error({ err: rollbackErr, agent: agent.name }, 'Failed to rollback gateway config after DB failure')
-          return NextResponse.json(
-            { error: `Save failed after gateway update and rollback failed: ${err.message}` },
-            { status: 500 }
-          )
+          const revertFields: string[] = ['updated_at = ?']
+          const revertValues: any[] = [agent.updated_at]
+          revertFields.push('role = ?')
+          revertValues.push(agent.role)
+          revertFields.push('config = ?')
+          revertValues.push(agent.config || '{}')
+          revertValues.push(agent.id, workspaceId)
+          db.prepare(`UPDATE agents SET ${revertFields.join(', ')} WHERE id = ? AND workspace_id = ?`).run(...revertValues)
+        } catch (revertErr: any) {
+          logger.error({ err: revertErr, agent: agent.name }, 'Failed to revert DB after gateway write failure')
         }
+        return NextResponse.json(
+          { error: `Save failed: unable to update gateway config: ${err.message}` },
+          { status: 502 }
+        )
       }
-      return NextResponse.json({ error: `Save failed: ${err.message}` }, { status: 500 })
     }
 
     if (shouldWriteToGateway) {
@@ -205,6 +207,13 @@ export async function DELETE(
     const db = getDatabase()
     const { id } = await params
     const workspaceId = auth.user.workspace_id ?? 1;
+    let removeWorkspace = false
+    try {
+      const body = await request.json()
+      removeWorkspace = Boolean(body?.remove_workspace)
+    } catch {
+      // Optional body
+    }
 
     let agent
     if (isNaN(Number(id))) {
@@ -217,6 +226,38 @@ export async function DELETE(
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
+    if (removeWorkspace) {
+      const agentConfig = agent.config ? JSON.parse(agent.config) : {}
+      const openclawId =
+        String(agentConfig?.openclawId || agent.name || '')
+          .toLowerCase()
+          .replace(/[^a-z0-9._-]+/g, '-')
+          .replace(/^-+|-+$/g, '') || agent.name
+      try {
+        await runOpenClaw(['agents', 'delete', openclawId, '--force'], { timeoutMs: 30000 })
+      } catch (err: any) {
+        logger.error({ err, openclawId, agent: agent.name }, 'Failed to remove OpenClaw agent/workspace')
+        return NextResponse.json(
+          { error: `Failed to remove OpenClaw workspace for ${agent.name}: ${err?.message || 'unknown error'}` },
+          { status: 502 }
+        )
+      }
+    }
+
+    let configCleanupWarning: string | null = null
+    try {
+      const agentConfig = agent.config ? JSON.parse(agent.config) : {}
+      const openclawId =
+        String(agentConfig?.openclawId || agent.name || '')
+          .toLowerCase()
+          .replace(/[^a-z0-9._-]+/g, '-')
+          .replace(/^-+|-+$/g, '') || agent.name
+      await removeAgentFromConfig({ id: openclawId, name: agent.name })
+    } catch (err: any) {
+      configCleanupWarning = `OpenClaw config cleanup skipped for ${agent.name}: ${err?.message || 'unknown error'}`
+      logger.warn({ err, agent: agent.name }, 'Failed to remove OpenClaw agent config entry')
+    }
+
     db.prepare('DELETE FROM agents WHERE id = ? AND workspace_id = ?').run(agent.id, workspaceId)
 
     db_helpers.logActivity(
@@ -225,13 +266,18 @@ export async function DELETE(
       agent.id,
       auth.user.username,
       `Deleted agent: ${agent.name}`,
-      { name: agent.name, role: agent.role },
+      { name: agent.name, role: agent.role, remove_workspace: removeWorkspace },
       workspaceId
     )
 
     eventBus.broadcast('agent.deleted', { id: agent.id, name: agent.name })
 
-    return NextResponse.json({ success: true, deleted: agent.name })
+    return NextResponse.json({
+      success: true,
+      deleted: agent.name,
+      remove_workspace: removeWorkspace,
+      ...(configCleanupWarning ? { warning: configCleanupWarning } : {}),
+    })
   } catch (error) {
     logger.error({ err: error }, 'DELETE /api/agents/[id] error')
     return NextResponse.json({ error: 'Failed to delete agent' }, { status: 500 })

src/app/api/agents/[id]/soul/route.ts

@@ -4,6 +4,7 @@ import { readFileSync, existsSync, readdirSync, writeFileSync, mkdirSync } from
 import { join, dirname, isAbsolute, resolve } from 'path';
 import { config } from '@/lib/config';
 import { resolveWithin } from '@/lib/paths';
+import { getAgentWorkspaceCandidates, readAgentWorkspaceFile } from '@/lib/agent-workspace';
 import { requireRole } from '@/lib/auth';
 import { logger } from '@/lib/logger';
 
@@ -47,13 +48,11 @@ export async function GET(
 
     try {
       const agentConfig = agent.config ? JSON.parse(agent.config) : {}
-      if (agentConfig.workspace) {
-        const safeWorkspace = resolveAgentWorkspacePath(agentConfig.workspace)
-        const safeSoulPath = resolveWithin(safeWorkspace, 'soul.md')
-        if (existsSync(safeSoulPath)) {
-          soulContent = readFileSync(safeSoulPath, 'utf-8')
-          source = 'workspace'
-        }
+      const candidates = getAgentWorkspaceCandidates(agentConfig, agent.name)
+      const match = readAgentWorkspaceFile(candidates, ['soul.md', 'SOUL.md'])
+      if (match.exists) {
+        soulContent = match.content
+        source = 'workspace'
       }
     } catch (err) {
       logger.warn({ err, agent: agent.name }, 'Failed to read soul.md from workspace')
@@ -163,8 +162,9 @@ export async function PUT(
     let savedToWorkspace = false
     try {
       const agentConfig = agent.config ? JSON.parse(agent.config) : {}
-      if (agentConfig.workspace) {
-        const safeWorkspace = resolveAgentWorkspacePath(agentConfig.workspace)
+      const candidates = getAgentWorkspaceCandidates(agentConfig, agent.name)
+      const safeWorkspace = candidates[0]
+      if (safeWorkspace) {
         const safeSoulPath = resolveWithin(safeWorkspace, 'soul.md')
         mkdirSync(dirname(safeSoulPath), { recursive: true })
         writeFileSync(safeSoulPath, newSoulContent || '', 'utf-8')